Date: Thu, 30 Sep 2004 20:05:50 +0530 From: Subhro <subhro.kar@gmail.com> To: drift@freebsd.org Cc: freebsd-questions@freebsd.org Subject: Re: IPFW Problem Message-ID: <b2807d0404093007355b40a34f@mail.gmail.com> In-Reply-To: <20040930142936.8EB9543D1D@mx1.FreeBSD.org> References: <58844.61.88.244.4.1096525998.squirrel@61.88.244.4> <20040930142936.8EB9543D1D@mx1.FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, 30 Sep 2004 22:32:16 +1000, Steven Adams <steve@drifthost.com> wrote: > When I add > > $fwcmd add allow ip from any to any established > > The messages go away, but when I remove it they come back, I ran a tcpdump > it seems most of the packet just have ACK set? If this works for you then the keep-state is definitely not working for you. Because when a SYN comes in, the state is saved in the firewall dynamic states so that subsequent ACKs corresponding to that SYN gets through without any problem. <snip> >=========================================================== > oif=bge0 > fwcmd=ipfw > > $fwcmd -f flush > > $fwcmd add check-state > > $fwcmd add allow ip from any to any via lo0 > $fwcmd add deny ip from any to 127.0.0.0/8 > > $fwcmd add deny all from any to any frag in via $oif > > $fwcmd add allow tcp from any to me > 21,25,26,53,110,143,443,465,953,993,995,2082,2083,2086,2087,2089,2095,2096,2 > 627,6666,40000-49452 > in via $oif keep-state setup > $fwcmd add allow tcp from any to me 80 setup keep-state > $fwcmd add allow udp from me 53 to any keep-state > $fwcmd add allow udp from any to any 53 keep-state > > $fwcmd add allow all from me to any out via $oif setup keep-state > > $fwcmd add deny all from any to any 137,138,139,67,68 in > > $fwcmd add deny log all from me to any 22 > $fwcmd add deny log all from any to any change this to $fwcmd add deny log all from any to any in xmit $oif BTW, any good reason not to trust your internal network from sending data through the firewall? <snip> Regards S. -- Subhro Sankha Kar School of Information Technology Block AQ-13/1 Sector V ZIP 700091 India
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?b2807d0404093007355b40a34f>