Date: Sat, 29 Jan 2005 23:05:47 +0100 From: "Gerard Meijer" <gmeijer@palmweb.nl> To: "Vahric MUHTARYAN" <vahric@doruk.net.tr>, <freebsd-ipfw@freebsd.org> Subject: Re: ipfw statefull ruleset problem Message-ID: <094d01c5064e$b0010600$9600000a@guus> References: <200501292126.j0TLQkjg097142@smtp.doruk.net.tr>
next in thread | previous in thread | raw e-mail | index | archive | help
Do you mean that I should change 'allow' to 'pass'? What exactly does pass?
Thanks!
----- Original Message -----
From: "Vahric MUHTARYAN" <vahric@doruk.net.tr>
To: "'Gerard Meijer'" <gmeijer@palmweb.nl>; <freebsd-ipfw@freebsd.org>
Sent: Saturday, January 29, 2005 10:27 PM
Subject: RE: ipfw statefull ruleset problem
> Use like this
>
> intip="your machine ip address"
> int="yourinterfacefor example fxp0 for intel"
>
> ${fwcmd} add 400 drop all from any to any frag
> ${fwcmd} add 500 check-state
> ${fwcmd} add 600 deny tcp from any to any established
> ${fwcmd} add 1100 pass tcp from any to ${intip} 21 in via ${int} setup
> keep-state
> ${fwcmd} add 1204 pass tcp from ${intip} 20 to any out via ${int} setup
> keep-state
>
> Bye ...
>
> -----Original Message-----
> From: owner-freebsd-ipfw@freebsd.org
> [mailto:owner-freebsd-ipfw@freebsd.org]
> On Behalf Of Gerard Meijer
> Sent: Saturday, January 29, 2005 10:55 PM
> To: freebsd-ipfw@freebsd.org
> Subject: ipfw statefull ruleset problem
>
> Hi everyone,
>
> First of all, I'm not very experienced with ipfw, so if this is a stupid
> question, I'm sorry.
>
> I have a question regarding my statefull ipfw ruleset. I have the
> following
> rules:
>
> ---begin---
> $cmd 00015 check-state
>
> #www
> $cmd 00200 allow tcp from any to any 80 out via $pif setup keep-state
>
> #mail
> $cmd 00231 allow tcp from any to any 110 out via $pif setup keep-state
>
> #ftp
> $cmd 00283 allow tcp from any to any 21 out via $pif setup keep-state
>
> # Allow in standard www function because I have apache server
> $cmd 00400 allow tcp from any to me 80 in via $pif setup limit src-addr 2
>
> # Allow in FTP
> $cmd 00410 allow tcp from any to me 21 in via $pif setup limit src-addr 2
>
> # Allow in mail
> $cmd 00420 allow tcp from any to me 110 in via $pif
> ---end---
> (there are more rules, but these are the ones that it's about)
>
> The problem that I'm having is that I can't check mail, and can't FTP and
> see a lot of:
>
> ipfw: 299 Deny TCP [my-server-ip]:80 [some-ip]:[some-port-other-than-80]
> out
> via em0
>
> messages in my logfile.
>
> When I try to check mail I see in my log:
>
> ipfw: 299 Deny TCP [my-server-ip]:110
> [my-home-pc-ip]:[some-port-other-than-110] out via em0
>
> What happens (I think, as far as I understand ipfw), there is an
> connection
> setup on port 21/80/110 (ftp/http/mail), which is allowed by the rules. A
> dynamic rules is created, but then the other computer switches ports. The
> check-state command checks for a dynamic rule, but the port doesn't match
> anymore and so it doesn't find a dynamic rule and the other rules also
> don't
> apply, since they only allow connection initialization. Am I correct?
>
> I can solve all this by putting in the rule:
>
> # $cmd 00020 allow tcp from any to any established
>
> But I learned that that is not the right way to do this in a statefull
> ruleset, because the dynamic rules don't have any use in this way. So what
> is the right way to solve this?
>
> Thanks a lot in advance!
> _______________________________________________
> freebsd-ipfw@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
> To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org"
>
>
> _______________________________________________
> freebsd-ipfw@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
> To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org"
>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?094d01c5064e$b0010600$9600000a>