From owner-freebsd-ipfw Tue Nov 19 9:28:29 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 28C8837B401 for ; Tue, 19 Nov 2002 09:28:27 -0800 (PST) Received: from accord.grasslake.net (accord.grasslake.net [209.98.56.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5D49943E4A for ; Tue, 19 Nov 2002 09:28:26 -0800 (PST) (envelope-from swb@grasslake.net) Received: from swbgx150 (honda.grasslake.net [192.168.1.1]) by accord.grasslake.net (8.12.6/8.12.6) with SMTP id gAJHI52U004305; Tue, 19 Nov 2002 11:18:05 -0600 (CST) (envelope-from swb@grasslake.net) Message-ID: <003701c28ff1$2bd513b0$62229fc0@ad.campbellmithun.com> From: "Shawn Barnhart" To: "Luigi Rizzo" Cc: References: <001a01c28fea$0200c7c0$62229fc0@ad.campbellmithun.com> <20021119085612.A67523@xorpc.icir.org> Subject: Re: Stateful rules Date: Tue, 19 Nov 2002 11:29:10 -0600 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1106 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG ----- Original Message ----- From: "Luigi Rizzo" To: "Shawn Barnhart" Cc: Sent: Tuesday, November 19, 2002 10:56 Subject: Re: Stateful rules > those rules do not make a lot of sense. > perhaps you should post your entire ruleset if you want us > to understand what is going on. ----- Original Message ----- From: "Luigi Rizzo" > those rules do not make a lot of sense. > perhaps you should post your entire ruleset if you want us > to understand what is going on. > No more confusing than: ipfw add check-state ipfw add allow tcp from my-subnet to any setup ipfw add deny tcp from any to any ...which is a direct cut/paste from the ipfw man page. The full ruleset on this specific machine isn't much more complicated: 00050 divert 8668 ip from any to any via xl0 00100 allow ip from any to any via lo0 00200 deny ip from any to 127.0.0.0/8 00300 deny ip from 127.0.0.0/8 to any 00400 check-state 00500 allow tcp from 10.11.12.16/29 to any keep-state 00510 allow tcp from 192.168.1.0/24 to any keep-state via xl1 00600 allow udp from 10.11.12.16/29 to any keep-state 00610 allow udp from 192.168.1.0/24 to any keep-state via xl1 02000 allow log icmp from any to any 03010 allow tcp from any to 10.11.12.20 80 03020 allow tcp from any to 10.11.12.20 25 03030 allow udp from any to 10.11.12.20 53 64000 deny log ip from any to any When web browsing, some return packets hit the deny rule at the end, but with no apparent impact on the web client, even though they should have matching dynamic rules, because they're passed out initially with a keep-state rule. UDP applications (DNS, games) don't ever generate apparently failed or missing dynamic rules, even though the games generate a huge amount of udp traffic. I'm speculating that the packets are return web data because they appeared during active web browsing, had a source port of 80 and a high-numbered destination port. This particular machine has NAT enabled, but I've seen similar results on a machine with no NAT enabled. I suspected I might have been overrunning the net.inet.fw.dyn_max values, but monitoring showed I wasn't. I was also curious about the role played by net.inet.fw.dyn_buckets relative to dyn_max since the manpage isn't clear to me about this. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message