Date: Thu, 20 Apr 2006 08:14:55 +0400 From: "Andrew Pantyukhin" <infofarmer@gmail.com> To: "Drew Tomlinson" <drew@mykitchentable.net> Cc: Noah Silverman <noah@allresearch.com>, freebsd-questions@freebsd.org Subject: Re: IPFW Problems Message-ID: <cb5206420604192114m2a07e32cx6cd706c816d6c82@mail.gmail.com> In-Reply-To: <4446D5A4.8030502@mykitchentable.net> References: <8921D35B-1F12-4212-9B62-0CC1CC8F5AE5@allresearch.com> <4446D5A4.8030502@mykitchentable.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On 4/20/06, Drew Tomlinson <drew@mykitchentable.net> wrote: > On 4/17/2006 2:29 PM Noah Silverman wrote: > > Hi, > > > > I have a system with a 4.11 Kernel. Unless I'm doing something very > > wrong, there seems to be something odd with ipfw. > > > > Take the following rules: > I assume above this you have "ipfw add check-state" defined? This is > the rule that's required to get ipfw to check its dynamic rule set. > Without it, "keep-state" rules will never work. No, this is not required. The dynamic rules are checked at first keep-state or limit, too. > > ipfw add 00280 allow tcp from any to any 22 out via bge0 setup keep-sta= te > > ipfw add 00299 deny log all from any to any out via bge0 > > ipfw add 0430 allow log tcp from any to me 22 in via bge0 setup limit > > src-addr 2 > I think this line is your problem. "setup" matches the initial packet > with the syn flag set. However since you have not added "keep-state", > no rule gets added to the dynamic rule set for this connection. > Subsequent packets don't match because "syn" is not set. Thus they hit > rule 499 and are denied. Yes. 'setup' is from "semi-stateful" firewall functionality while 'keep-state' is from fully stateful one. You can't use both in one rule without strange consequences. Just delete 'setup' words in both rules - it'll probably be fine.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?cb5206420604192114m2a07e32cx6cd706c816d6c82>