Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 30 Aug 2007 18:19:34 +1200
From:      Russell Fulton <r.fulton@auckland.ac.nz>
To:        freebsd-ipfw@freebsd.org
Subject:   getting state to work properly
Message-ID:  <46D66176.9020300@auckland.ac.nz>

next in thread | raw e-mail | index | archive | help
Hi Folks

I have a fair bit of experience with firewalls particularly pf and also
iptables but I have never played with ipfw before.  I have the ipfw man
page and some of the free bsd tutorial stuff to consult -- all looks
pretty straight forward.

I have inherited a ipfw firewall which I am trying to make some changes
to.  The current rule set does not use state and is very difficult to
understand as filtering is being done on many interfaces (four vlans
representing the 'inside' and one physical interface being the
'outside').  In an attempt to impose some order I rewrote the rule set
from scratch doing all the real filtering on the external interface and
using state to keep track of connections.  Today I had a two hour outage
to try and make it work and totally failed. (I'm not really surprised...)

My first question is "is there anyway of maintaining state over a rule
reload?"  One way of doing it would be to change the rule set number of
the running rule set before loading the new rules. Is this possible? But
this is in the "it would be nice category".

More importantly I failed to make the state stuff work.

State gets created -- ipfw -ad show shows the dynamic rules with numbers
in both counters but the returning packets never appear on either the
inbound or outbound interfaces (according to tcpdump).  I have log
logamount 0 on *all* denies but nothing is logged.  I know, from
monitoring traffic out side the firewall that the original packets are
coming out and replies are being sent to the firewall where they
silently vanish.

Any ideas appreciated.  My gut feeling is that I'm missing something basic.

If anyone wants to have a look at the rule set I'm happy to mail it to
them but I don't want it appearing in a public mail archive ;)

Thanks, Russell.

ISO, The University of Auckland, New Zealand.






Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?46D66176.9020300>