Site Navigation

Date:      Sat, 15 Nov 2008 16:08:06 -0800
From:      "Jin Guojun[VFF]" <jguojun@gmail.com>
To:        Erik Trulsson <ertr1013@student.uu.se>
Cc:        questions@freebsd.org, ipfw@freebsd.org
Subject:   Re: some ipfw filter does not function under Release 6.3
Message-ID:  <491F6466.40309@gmail.com>
In-Reply-To: <491F54A0.9090702@gmail.com>
References:  <491F413A.4020108@gmail.com> <20081115223556.GA45503@owl.midgard.homeip.net> <491F54A0.9090702@gmail.com>

---

next in thread | previous in thread | raw e-mail | index | archive | help

---

   I think this is a bug in ipfw because after change the rule order, the
   problem persists:
   00566    26     3090 deny ip from 221.192.199.36 to any
   65330  2018   983473 allow tcp from any to any established
   65535     0        0 deny ip from any to any
   15:47:21.238720 IP 221.192.199.36.4469 > 192.168.2.14.80: S
   3191960249:3191960249(0) win 65535 <mss 1452,nop,nop,sackOK>
   15:47:21.238768 IP 192.168.2.14.80 > 221.192.199.36.4469: S
   2102254306:2102254306(0) ack 3191960250 win 65535 <mss
   1460,sackOK,eol>
   15:47:21.483754 IP 221.192.199.36.4469 > 192.168.2.14.80: . ack 1 win
   65535
   15:47:21.499489 IP 221.192.199.36.4469 > 192.168.2.14.80: P 1:206(205)
   ack 1 win 65535
   15:47:24.238570 IP 192.168.2.14.80 > 221.192.199.36.4469: S
   2102254306:2102254306(0) ack 3191960250 win 65535 <mss
   1460,sackOK,eol>
   15:47:24.482113 IP 221.192.199.36.4469 > 192.168.2.14.80: . ack 1 win
   65535
   15:47:24.498613 IP 221.192.199.36.4469 > 192.168.2.14.80: P 1:206(205)
   ack 1 win 65535
   15:47:30.238574 IP 192.168.2.14.80 > 221.192.199.36.4469: S
   2102254306:2102254306(0) ack 3191960250 win 65535 <mss
   1460,sackOK,eol>
   15:47:30.482746 IP 221.192.199.36.4469 > 192.168.2.14.80: . ack 1 win
   65535
   15:47:30.513193 IP 221.192.199.36.4469 > 192.168.2.14.80: P 1:206(205)
   ack 1 win 65535
   15:47:42.238577 IP 192.168.2.14.80 > 221.192.199.36.4469: S
   2102254306:2102254306(0) ack 3191960250 win 65535 <mss
   1460,sackOK,eol>
   15:47:42.435040 IP 221.192.199.36.4469 > 192.168.2.14.80: P 1:206(205)
   ack 1 win 65535
   15:47:42.466055 IP 221.192.199.36.4469 > 192.168.2.14.80: . ack 1 win
   65535
   15:47:54.466599 IP 221.192.199.36.4469 > 192.168.2.14.80: P 1:206(205)
   ack 1 win 65535
   15:47:59.703272 IP 221.192.199.36.4469 > 192.168.2.14.80: R 206:206(0)
   ack 1 win 0
   Jin Guojun[VFF] wrote:

   But the rule 330 should only allow established TCP pass through. In
   other words, Sync should NOT
   allowed by rule 330, or I missed something for this rule?
   Erik Trulsson wrote:

On Sat, Nov 15, 2008 at 01:38:02PM -0800, Jin Guojun[VFF] wrote:
  

Below is set of ipfw rules, but it seems that not all rules are 
functioning properly.
 From rule 361 to first two of rule 567 are not blocking any traffic and 
not measuring any traffic.
Is this bacuse tcp rule )330) can overwrite the ip rule? or this is a 
known issue in R-6.3?
    

In general the first matching rule is the one that is applied.
In your case this means that if a packet matches  your rule 330 then 
it will be allowed through, and the rules further down the list will
not be considered.


  

The second and third rules in rule set 567 seem working well.

-Jin

---------------- ipfw rule sets ---------
00330 3108378 2700826874 allow tcp from any to any established
00361       0          0 deny ip from 203.83.248.93 to any
00361       0          0 deny ip from 72.30.142.215 to any
00567       0          0 deny ip from 193.200.241.171 to any
00567       0          0 deny ip from 221.192.199.36 to any
00567       3        180 deny ip from 118.153.18.186 to any
00567       3        180 deny ip from 203.78.214.180 to any
00567       0          0 deny ip from 118.219.232.123 to any
65500     220      20043 allow udp from any to any
65535       2        120 deny ip from any to any

------ traffic captured by tcpdump behind ipfw machine -----

04:12:20.940095 IP 221.192.199.36.12200 > 192.168.2.14.80: S 
200229998:200229998(0) win 8192
04:12:21.204430 IP 221.192.199.36.12200 > 192.168.2.14.80: R 
200229999:200229999(0) win 0
04:31:16.262402 IP 221.192.199.36.12200 > 192.168.2.14.80: S 
200233658:200233658(0) win 8192
04:31:16.541868 IP 221.192.199.36.12200 > 192.168.2.14.80: R 
200233659:200233659(0) win 0
05:27:04.031434 IP 221.192.199.36.12200 > 192.168.2.14.80: S 
200244634:200244634(0) win 8192
05:27:04.303262 IP 221.192.199.36.12200 > 192.168.2.14.80: R 
200244635:200244635(0) win 0
05:28:18.099443 IP 221.192.199.36.3362 > 192.168.2.14.80: S 
2422872529:2422872529(0) win 65535 <mss 1452,nop,nop,sackOK>
05:28:18.352083 IP 221.192.199.36.3362 > 192.168.2.14.80: . ack 
3968474717 win 65535
05:28:18.367745 IP 221.192.199.36.3362 > 192.168.2.14.80: P 0:205(205) 
ack 1 win 65535
05:28:18.621538 IP 221.192.199.36.3362 > 192.168.2.14.80: R 205:205(0) 
ack 473 win 0

    


  

---

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?491F6466.40309>

Legal Notices | © 1995-2024 The FreeBSD Project. All rights reserved.

Contact