Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 2 Aug 2001 11:39:37 +0400 (MSD)
From:      "Eugene L. Vorokov" <vel@bugz.infotecs.ru>
To:        freebsd-net@freebsd.org
Cc:        freebsd-hackers@freebsd.org
Subject:   ipfw "established" option
Message-ID:  <200108020739.f727dbY02620@bugz.infotecs.ru>
next in thread | raw e-mail | index | archive | help 
Hello,

I've found some strange issue regarding ipfw. I have freebsd 4.2-RELEASE.
Guess I have rules:

1 allow tcp from any to 195.210.139.22 established
2 deny tcp from any to 195.210.139.22
2 allow all from any to any

The intention is to allow the machine itself connect outside and accept
responces once connection is established, but deny attepmts to connect
to this machine from outside. I was thinking that first packet which tries
to establish TCP connection should never match rule 1.

However, I've found that it depends on which operating system tries to
connect in ! When I try this from machine with freebsd 4.3-RELEASE, it gets
dropped as expected. tcpdump on my machine says:

11:15:01.841594 195.222.16.243.1117 > 195.210.139.22.21: S 3910802910:3910802910(0) win 16384 <mss 1460> (DF) [tos 0x10] 
11:15:04.911908 195.222.16.243.1117 > 195.210.139.22.21: S 3910802910:3910802910(0) win 16384 <mss 1460> (DF) [tos 0x10] 
11:15:07.804934 195.222.16.243.1117 > 195.210.139.22.21: S 3910802910:3910802910(0) win 16384 <mss 1460> (DF) [tos 0x10] 

Okay, that's fine. But then I try the same from Linux machine (2.4.5).
I am able to successfully telnet in ! tcpdump says:

11:15:51.479203 195.230.76.28.39925 > 195.210.139.22.21: S [ECN-Echo,CWR] 4162184178:4162184178(0) win 5840 <mss 1460,sackOK,timestamp 301048828 0,nop,wscale 0> (DF) [tos 0x10] 
11:15:51.479466 195.210.139.22.21 > 195.230.76.28.39925: S 2404031587:2404031587(0) ack 4162184179 win 17520 <mss 1460> (DF)
11:15:51.565124 195.230.76.28.39925 > 195.210.139.22.21: . ack 1 win 5840 (DF) [tos 0x10] 
11:15:51.590818 195.210.139.22.21 > 195.230.76.28.39925: P 1:58(57) ack 1 win 17520 (DF) [tos 0x10] 
11:15:51.648107 195.230.76.28.39925 > 195.210.139.22.21: . ack 58 win 5840 (DF) [tos 0x10] 

Firewall logs also say that the initial packet matched the rule 1
and was passed.

Why is it like that ? Am I missing something ?

Regards,
Eugene


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-net" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200108020739.f727dbY02620>