From owner-freebsd-questions  Mon Nov  2 02:10:07 1998
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id CAA14323
          for freebsd-questions-outgoing; Mon, 2 Nov 1998 02:10:07 -0800 (PST)
          (envelope-from owner-freebsd-questions@FreeBSD.ORG)
Received: from infowest.com (ns1.infowest.com [204.17.177.10])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id CAA14202;
          Mon, 2 Nov 1998 02:10:00 -0800 (PST)
          (envelope-from agifford@infowest.com)
Received: from infowest.com (eq.net [207.49.60.250])
	by infowest.com (8.8.8/8.8.8) with ESMTP id DAA13710;
	Mon, 2 Nov 1998 03:09:56 -0700 (MST)
Message-ID: <363D84EE.A4E3FB51@infowest.com>
Date: Mon, 02 Nov 1998 03:09:50 -0700
From: "Aaron D. Gifford" <agifford@infowest.com>
X-Mailer: Mozilla 4.07 [en] (X11; I; FreeBSD 2.2.7-STABLE i386)
MIME-Version: 1.0
To: questions@FreeBSD.ORG, stable@FreeBSD.ORG
Subject: IPFW question and fetch (Weird, just plain weird!)
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

FreeBSD 2.2.7-STABLE system (as of 31 Oct. 1998) running ipfw and I
noticed something REALLY WEIRD:

  fetch http://some.site.blah/file.tar.gz

...It would fail with an error like:

  fetch: sendmsg: www.php.net: Permission denied

Checked my ipfw rules.  NOTHING should have prevented it from working. 
Normal web browsing (Netscrape) can access the exact same URL just fine.

Here's basically what I've got (omitting a few spoof logging lines):

  ipfw add 100 permit ip from any to any via lo0
  ipfw add 200 permit tcp from MY-IP-ADDR to any xmit tun0 setup
  ipfw add 300 permit tcp from any to MY-IP-ADDR recv tun0 established
  ipfw add 400 permit tcp from MY-IP-ADDR to any xmit tun0 established
  ipfw add 1000 deny log all from any to any

Further analysis reveals the problem:  fetch is sending a TCP packet
with the FIN flag set but no ACK flag set, and thus is filtered out by
my ipfw rule that only permits ESTABLISHED connections or NEW
connections.

So... What's up with fetch??????  Why is it doing this weirdness??  Is
it doing some sort of connect test before it opens the real connection
that requires the FIN packet???  I've never encountered this problem
with ANY other software I've used on FreeBSD.

I had to add a new line JUST so fetch would work:

  ipfw add 500 permit tcp from MY-IP-ADDR to any xmit tun0 tcpflags fin

Yuck.  I hate having to add special rules just for one piece of
software.

Puzzled,
Aaron out.

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message