Date: Mon, 02 Nov 1998 03:09:50 -0700 From: "Aaron D. Gifford" <agifford@infowest.com> To: questions@FreeBSD.ORG, stable@FreeBSD.ORG Subject: IPFW question and fetch (Weird, just plain weird!) Message-ID: <363D84EE.A4E3FB51@infowest.com>
next in thread | raw e-mail | index | archive | help
FreeBSD 2.2.7-STABLE system (as of 31 Oct. 1998) running ipfw and I noticed something REALLY WEIRD: fetch http://some.site.blah/file.tar.gz ...It would fail with an error like: fetch: sendmsg: www.php.net: Permission denied Checked my ipfw rules. NOTHING should have prevented it from working. Normal web browsing (Netscrape) can access the exact same URL just fine. Here's basically what I've got (omitting a few spoof logging lines): ipfw add 100 permit ip from any to any via lo0 ipfw add 200 permit tcp from MY-IP-ADDR to any xmit tun0 setup ipfw add 300 permit tcp from any to MY-IP-ADDR recv tun0 established ipfw add 400 permit tcp from MY-IP-ADDR to any xmit tun0 established ipfw add 1000 deny log all from any to any Further analysis reveals the problem: fetch is sending a TCP packet with the FIN flag set but no ACK flag set, and thus is filtered out by my ipfw rule that only permits ESTABLISHED connections or NEW connections. So... What's up with fetch?????? Why is it doing this weirdness?? Is it doing some sort of connect test before it opens the real connection that requires the FIN packet??? I've never encountered this problem with ANY other software I've used on FreeBSD. I had to add a new line JUST so fetch would work: ipfw add 500 permit tcp from MY-IP-ADDR to any xmit tun0 tcpflags fin Yuck. I hate having to add special rules just for one piece of software. Puzzled, Aaron out. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?363D84EE.A4E3FB51>