Date: Thu, 22 Mar 2001 23:45:18 +0100 From: "Andre Goeree" <abgoeree@uwnet.nl> To: Gordon Tetlow <gordont@bluemtn.net> Cc: stable@freebsd.org Subject: Re: ipfw stateful filtering Message-ID: <20010322234518.A16010@mandark.attica.home> In-Reply-To: <Pine.BSF.4.33.0103221205460.87344-100000@sdmail0.sd.bmarts.com>; from gordont@bluemtn.net on Thu, Mar 22, 2001 at 12:06:50PM -0800 References: <20010322164215.A20386@mandark.attica.home> <Pine.BSF.4.33.0103221205460.87344-100000@sdmail0.sd.bmarts.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, Mar 22, 2001 at 12:06:50PM -0800, Gordon Tetlow wrote: > I have the same thing.... If you read the ipfw man page, it actually tells > you that you don't need a check-state rule as the first keep-state rule > implies check-state. I imagine the counters go elsewhere but I'm not sure. > If I get the time, I'll look at the code. > > -gordon Well, rule 100 must match somehow otherwise all (established) packets would be denied by rule 2100 (before they get to the first keep-state). It's only strange that no counter or timestamp gets updated on rule 100 when incoming packets with keep-state match. On the other hand...: Another thing that's hard for me to understand is the packets going through lo0 (rule 200). I don't have anything hanging on that interface. All internal services use the network ip (192.168.1.10) of the box on rl0. Since the traffic shown in my example was generated only by the localhost the only interface that should have been used is tun*. --Andre. > > On Thu, 22 Mar 2001, Andre Goeree wrote: > > > I'm experimenting a little with stateful filtering. > > Somehow it doesn't work like i expect; output of "ipfw show": > > > > 00100 0 0 check-state > > 00200 2874 690508 allow ip from any to any via lo0 > > [snip address checking rules] > > 02100 0 0 deny tcp from any to any via tun* established > > 02200 890 308516 allow tcp from any 4000-5000 to any keep-state out xmit tun* setup > > [snip local network rules] > > ## Dynamic rules: > > 02200 889 308472 (T 0, # 176) ty 0 tcp, XXX.XXX.XXX.XXX 4025 <-> XXX.XXX.XXX.XXX 110 > > > > It appears that the check-state rule never matches.. > > Am i overlooking something? > > > > --Andre. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010322234518.A16010>