Date: Tue, 10 May 2005 05:35:04 -0700 From: Luigi Rizzo <rizzo@icir.org> To: Simon Litchfield <simon@quo.com.au> Cc: Joshua Paech <josh@slicmedia.com> Subject: Re: IPFW2 statefulness over bridge? Message-ID: <20050510053504.A86392@xorpc.icir.org> In-Reply-To: <42805673.2070401@quo.com.au>; from simon@quo.com.au on Tue, May 10, 2005 at 04:36:35PM %2B1000 References: <42805673.2070401@quo.com.au>
next in thread | previous in thread | raw e-mail | index | archive | help
without looking into the detail, for which 1) i don't have time and 2) you haven't posted enough information (we'd need the complete ruleset and counter values and interfaces you yse to be sure what is going on), the use of "via" options is almost always incorrect in ipfw configurations (due to bad examples that are cut&pasted out of context), and the use of "via" and "out" options in bridged ipfw configuration is _always_ wrong. The latter is documented in the manpage so there is no excuse :) You should check which rule actually matches your outgoing packets. Almost surely you are accepting the packet at a rule before the 'keep-state' -- e.g. the > .... a bunch of allows for the usual tcp/udp ports like 80 etc to could be the place where this happens. Anyways i would suggest you to look at each rule and ask yourself - what does this rule do ? (answer generally on the manpage) - do i really want this 'via' or 'in' or 'out' option ? and so on. cheers luigi On Tue, May 10, 2005 at 04:36:35PM +1000, Simon Litchfield wrote: > Hi. We've noticed ipfw2 doesnt seem to maintain state on outgoing > connections over our bridge (running 5.3 generic). A similar > configuration worked fine using pf on openbsd. > > Are we missing something? Here's the guts of our rule script -- > > .... some init stuff here ..... > > # allow arps (oh yeah, this is important) > ipfw add allow layer2 mac-type arp > > # deny spurious source addresses and spoof attempts > ipfw add deny log all from $addr_rfc1918 to any in via $ext_if > ipfw add deny log all from any to $addr_rfc1918 out via $ext_if > ipfw add deny log all from 'table(0)' to any in via $ext_if > ipfw add deny log all from any to 'table(0)' out via $ext_if > ipfw add deny log all from me to any in via $ext_if > > # deny illegal TCP flag combinations > ipfw add deny log tcp from any to any tcpflags fin,urg,psh > ipfw add deny log tcp from any to any tcpflags syn,fin,rst,ack > ipfw add deny log tcp from any to any tcpflags '!syn,!fin,!ack' > > .... a bunch of allows for the usual tcp/udp ports like 80 etc to > various servers 'inside' the bridged network go here .... > > # leave the inside of the firewall open > ipfw add allow layer2 via $int_if > > # allow loopback > ipfw add allow ip from 127.0.0.0/8 to 127.0.0.0/8 > > # allow firewalled address to make any outgoing connections > ipfw add allow ip from 'table(0)' to any setup keep-state > ipfw add allow ip from me to any setup keep-state > > # firewalling UDP is pretty pointless > ipfw add allow udp from any to any > > # final denys > ipfw add allow icmp from any to any > > ipfw add allow tcp from any to any setup keep-state > ipfw add allow ip from any to any etup keep-state > > ipfw add reset tcp from any to any > ipfw add unreach port udp from any to any > ipfw add deny log ip from any to any > > > -- > > Quo Consulting > info@quo.com.au > http://www.quo.com.au/ > > Phone +61 (0)7 5520 2665 > Fax +61 (0)2 8569 2377 > > Level 3 : Old Burleigh Theatre Arcade > 66 Goodwin Terrace : Burleigh Heads > Queensland : Australia > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20050510053504.A86392>