Date: Sat, 29 Jan 2005 23:05:47 +0100 From: "Gerard Meijer" <gmeijer@palmweb.nl> To: "Vahric MUHTARYAN" <vahric@doruk.net.tr>, <freebsd-ipfw@freebsd.org> Subject: Re: ipfw statefull ruleset problem Message-ID: <094d01c5064e$b0010600$9600000a@guus> References: <200501292126.j0TLQkjg097142@smtp.doruk.net.tr>
next in thread | previous in thread | raw e-mail | index | archive | help
Do you mean that I should change 'allow' to 'pass'? What exactly does pass? Thanks! ----- Original Message ----- From: "Vahric MUHTARYAN" <vahric@doruk.net.tr> To: "'Gerard Meijer'" <gmeijer@palmweb.nl>; <freebsd-ipfw@freebsd.org> Sent: Saturday, January 29, 2005 10:27 PM Subject: RE: ipfw statefull ruleset problem > Use like this > > intip="your machine ip address" > int="yourinterfacefor example fxp0 for intel" > > ${fwcmd} add 400 drop all from any to any frag > ${fwcmd} add 500 check-state > ${fwcmd} add 600 deny tcp from any to any established > ${fwcmd} add 1100 pass tcp from any to ${intip} 21 in via ${int} setup > keep-state > ${fwcmd} add 1204 pass tcp from ${intip} 20 to any out via ${int} setup > keep-state > > Bye ... > > -----Original Message----- > From: owner-freebsd-ipfw@freebsd.org > [mailto:owner-freebsd-ipfw@freebsd.org] > On Behalf Of Gerard Meijer > Sent: Saturday, January 29, 2005 10:55 PM > To: freebsd-ipfw@freebsd.org > Subject: ipfw statefull ruleset problem > > Hi everyone, > > First of all, I'm not very experienced with ipfw, so if this is a stupid > question, I'm sorry. > > I have a question regarding my statefull ipfw ruleset. I have the > following > rules: > > ---begin--- > $cmd 00015 check-state > > #www > $cmd 00200 allow tcp from any to any 80 out via $pif setup keep-state > > #mail > $cmd 00231 allow tcp from any to any 110 out via $pif setup keep-state > > #ftp > $cmd 00283 allow tcp from any to any 21 out via $pif setup keep-state > > # Allow in standard www function because I have apache server > $cmd 00400 allow tcp from any to me 80 in via $pif setup limit src-addr 2 > > # Allow in FTP > $cmd 00410 allow tcp from any to me 21 in via $pif setup limit src-addr 2 > > # Allow in mail > $cmd 00420 allow tcp from any to me 110 in via $pif > ---end--- > (there are more rules, but these are the ones that it's about) > > The problem that I'm having is that I can't check mail, and can't FTP and > see a lot of: > > ipfw: 299 Deny TCP [my-server-ip]:80 [some-ip]:[some-port-other-than-80] > out > via em0 > > messages in my logfile. > > When I try to check mail I see in my log: > > ipfw: 299 Deny TCP [my-server-ip]:110 > [my-home-pc-ip]:[some-port-other-than-110] out via em0 > > What happens (I think, as far as I understand ipfw), there is an > connection > setup on port 21/80/110 (ftp/http/mail), which is allowed by the rules. A > dynamic rules is created, but then the other computer switches ports. The > check-state command checks for a dynamic rule, but the port doesn't match > anymore and so it doesn't find a dynamic rule and the other rules also > don't > apply, since they only allow connection initialization. Am I correct? > > I can solve all this by putting in the rule: > > # $cmd 00020 allow tcp from any to any established > > But I learned that that is not the right way to do this in a statefull > ruleset, because the dynamic rules don't have any use in this way. So what > is the right way to solve this? > > Thanks a lot in advance! > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" > > > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?094d01c5064e$b0010600$9600000a>