Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 11 Apr 2001 23:31:16 -0700
From:      Gregory Neil Shapiro <gshapiro@freebsd.org>
To:        freebsd-ipfw@freebsd.org
Subject:   ipfw dynamic rulesets broken for me
Message-ID:  <15061.19380.659608.578985@horsey.gshapiro.net>

Next in thread | Raw E-Mail | Index | Archive | Help
I tried switching from using the established check to keeping state and it
isn't work as expected.  Dynamic rules timeout on open connections (e.g.,
ssh connections that I haven't used for about 10 minutes but are still
open).  Also, by the time a TCP connection goes from CLOSE_WAIT to
LAST_ACK, the dynamic rule is gone and the LAST_ACK is denied (and
therefore the connection lingers).  I've included my fairly simple ipfw
ruleset below.  Any help is appreciated.

# Clear the list
-f flush

# localhost
add 01000 allow ip from any to any via lo0

# Check state table
add 02000 check-state
add 02000 deny log tcp from any to any established

# Stop RFC1918 nets
add 10010 deny log ip from 10.0.0.0/8 to any
add 10010 deny log ip from any to 10.0.0.0/8
add 10127 deny log ip from 127.0.0.0/8 to any
add 10127 deny log ip from any to 127.0.0.0/8
add 10172 deny log ip from 172.16.0.0/12 to any
add 10172 deny log ip from any to 172.16.0.0/12
add 10192 deny log ip from 192.168.0.0/16 to any
add 10192 deny log ip from any to 192.168.0.0/16

# Open for services we want to offer
# ssh, smtp, identd
add 20000 allow tcp from any to me 22,25,113 setup in keep-state

# Allow DHCP to work
add 20068 allow udp from any 67 to me 68 in

# Allow outgoing connections
add 30000 allow tcp from me to any setup out keep-state
add 30010 allow udp from me to any out keep-state
add 30020 allow icmp from me to any out keep-state

# Denies we don't care to log
add 40000 deny udp from any 138 to any 138 in

# Never assume the kernel default
add 65534 deny log ip from any to any

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ipfw" in the body of the message




Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?15061.19380.659608.578985>