From owner-freebsd-ipfw Wed Apr 11 23:31:22 2001 Delivered-To: freebsd-ipfw@freebsd.org Received: from horsey.gshapiro.net (horsey.gshapiro.net [209.220.147.178]) by hub.freebsd.org (Postfix) with ESMTP id 13FFF37B616 for ; Wed, 11 Apr 2001 23:31:17 -0700 (PDT) (envelope-from gshapiro@gshapiro.net) Received: (from gshapiro@localhost) by horsey.gshapiro.net (8.12.0.Beta7/8.12.0.Beta7) id f3C6VGqL081798; Wed, 11 Apr 2001 23:31:16 -0700 (PDT) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <15061.19380.659608.578985@horsey.gshapiro.net> Date: Wed, 11 Apr 2001 23:31:16 -0700 From: Gregory Neil Shapiro To: freebsd-ipfw@freebsd.org Subject: ipfw dynamic rulesets broken for me X-Mailer: VM 6.91 under 21.2 (beta42) "Poseidon" XEmacs Lucid Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG I tried switching from using the established check to keeping state and it isn't work as expected. Dynamic rules timeout on open connections (e.g., ssh connections that I haven't used for about 10 minutes but are still open). Also, by the time a TCP connection goes from CLOSE_WAIT to LAST_ACK, the dynamic rule is gone and the LAST_ACK is denied (and therefore the connection lingers). I've included my fairly simple ipfw ruleset below. Any help is appreciated. # Clear the list -f flush # localhost add 01000 allow ip from any to any via lo0 # Check state table add 02000 check-state add 02000 deny log tcp from any to any established # Stop RFC1918 nets add 10010 deny log ip from 10.0.0.0/8 to any add 10010 deny log ip from any to 10.0.0.0/8 add 10127 deny log ip from 127.0.0.0/8 to any add 10127 deny log ip from any to 127.0.0.0/8 add 10172 deny log ip from 172.16.0.0/12 to any add 10172 deny log ip from any to 172.16.0.0/12 add 10192 deny log ip from 192.168.0.0/16 to any add 10192 deny log ip from any to 192.168.0.0/16 # Open for services we want to offer # ssh, smtp, identd add 20000 allow tcp from any to me 22,25,113 setup in keep-state # Allow DHCP to work add 20068 allow udp from any 67 to me 68 in # Allow outgoing connections add 30000 allow tcp from me to any setup out keep-state add 30010 allow udp from me to any out keep-state add 30020 allow icmp from me to any out keep-state # Denies we don't care to log add 40000 deny udp from any 138 to any 138 in # Never assume the kernel default add 65534 deny log ip from any to any To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message