From owner-freebsd-questions Fri Sep 18 22:15:14 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id WAA20264 for freebsd-questions-outgoing; Fri, 18 Sep 1998 22:15:14 -0700 (PDT) (envelope-from owner-freebsd-questions@FreeBSD.ORG) Received: from infowest.com (ns1.infowest.com [204.17.177.10]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id WAA20259 for ; Fri, 18 Sep 1998 22:15:12 -0700 (PDT) (envelope-from agifford@infowest.com) Received: from infowest.com (eq.net [207.49.60.250]) by infowest.com (8.8.8/8.8.8) with ESMTP id XAA18264 for ; Fri, 18 Sep 1998 23:14:47 -0600 (MDT) Message-ID: <36033DBC.8E2C96E5@infowest.com> Date: Fri, 18 Sep 1998 23:14:36 -0600 From: "Aaron D. Gifford" X-Mailer: Mozilla 4.05 [en] (X11; U; FreeBSD 2.2.7-STABLE i386) MIME-Version: 1.0 To: questions@FreeBSD.ORG Subject: ipfw, fetch, "sendmsg: Permission denied", and tcpflag FIN weirdness - Answers anyone??? Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Here's a fun one for y'all. Why does every TCP program I've used thus far work perfectly except for /usr/bin/fetch for fetching files with the HTTP protocol UNLESS I add an additional line to my rc.firewall config to permit outgoing tcp packets with the FIN flag set. Why fetch and nothing else? I've used telnet to grab web pages without the line. I've used perl scripts to grab web files as well using HTTP. Only fetch screams. Here's an example WITHOUT the extra FIN line in my rc.firewall config: # fetch http://www.some-site-somewhere.com/blah.gif fetch: sendmsg: www.some-site-somewhere.com: Permission denied # ipfw add 1450 permit tcp from <> to any out via tun0 tcpflag fin 01450 allow tcp from <> to any out xmit tun0 tcpflg fin # fetch http://www.some-site-somewhere.com/blah.gif Receiving blah.gif (2156 bytes): 100% 2156 bytes transfered in 0.2 seconds (12.28 Kbytes/s) Weird. Anyway, here's the system in question: System: P166 SCSI-based system OS: 2.2.7-STABLE as of 25 July 1998 Program: /usr/bin/fetch and the ipfw_mod.o LKM both updated as of 25 July 1998 Network: Userland PPP connection via modem to my ISP PORTION of /etc/rc.firewall: ============================ # Pass all localhost traffic via the loopback interface: /sbin/ipfw add pass all from any to any via ${loop} # Deny spoofed packets: /sbin/ipfw add deny log all from 127.0.0.0/8 to any /sbin/ipfw add deny log all from any to 127.0.0.0/8 /sbin/ipfw add deny log all from ${ip} to any in via ${extern} /sbin/ipfw add deny log all from 192.168.0.0:255.255.0.0 to any /sbin/ipfw add deny log all from 172.16.0.0:255.240.0.0 to any /sbin/ipfw add deny log all from 10.0.0.0:255.0.0.0 to any # Deny everything else via the loopback: /sbin/ipfw add deny all from any to any via ${loop} # Pass established TCP connections: /sbin/ipfw add pass tcp from any to ${ip} in via ${extern} established /sbin/ipfw add pass tcp from ${ip} to any out via ${extern} established # Pass outgoing new TCP session setup packets: /sbin/ipfw add pass tcp from ${ip} to any setup ###### STRANGE WEIRD FIN work-around so fetch will work: $fwcmd add pass tcp from ${ip} to any tcpflag fin # Pass new incoming HTTP connections: /sbin/ipfw add pass tcp from any to ${ip} 80 in via ${extern} setup # Deny all other TCP packets: /sbin/ipfw add deny log tcp from any to any <> Thanks for any/all comments. Aaron out. www.eq.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message