From owner-freebsd-net@FreeBSD.ORG  Thu Mar 15 02:04:34 2012
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
Delivered-To: freebsd-net@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id A61BB106564A
	for <freebsd-net@freebsd.org>; Thu, 15 Mar 2012 02:04:34 +0000 (UTC)
	(envelope-from nyoman.bogi@gmail.com)
Received: from mail-lb0-f182.google.com (mail-lb0-f182.google.com
	[209.85.217.182])
	by mx1.freebsd.org (Postfix) with ESMTP id 0D78D8FC19
	for <freebsd-net@freebsd.org>; Thu, 15 Mar 2012 02:04:33 +0000 (UTC)
Received: by lboi15 with SMTP id i15so1572059lbo.13
	for <freebsd-net@freebsd.org>; Wed, 14 Mar 2012 19:04:26 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113;
	h=mime-version:in-reply-to:references:date:message-id:subject:from:to
	:cc:content-type;
	bh=bVY063uVZ4rXZBjwH+IY1HlI+NVqgVYoEOOJzM1AZgA=;
	b=Hzr1vDNRUcvt+NUHYTRgafIZdAl1WHwoibcyvS0lcTjXJDaYvCRLIMzZUPopvClZw1
	fN+h2xgm8XNbtnhiHjYNMXDnGJRGF5A7wGk5n422E5hPWyUoNhSEvVp3oIwkPQvc/Ha3
	qyq0XR1AjCwJ5T/tlEJluhogLEY23gHvHhFc/bgIoZi80YEDmjjyXdcXionxgcyEf7aH
	qMiQldDCOuSSw49CM0Wgo2IYvuP1TVps0p5lnfhYco69WOFmKTxUzUTKQ37J4Fx7jybC
	FtHrub+n8lvjf1blHxcUVu3l3sxP/PXRyBhkn0aSPqvyRCECr7/hUAPNkNyNwS2qslug
	Dl6g==
MIME-Version: 1.0
Received: by 10.152.132.130 with SMTP id ou2mr3607785lab.44.1331777063875;
	Wed, 14 Mar 2012 19:04:23 -0700 (PDT)
Received: by 10.112.115.130 with HTTP; Wed, 14 Mar 2012 19:04:23 -0700 (PDT)
In-Reply-To: <CAN6yY1v1O9QiN3bAZ3jPJvzX=xsLAauSXJJjwhrZPYSnBfK_uw@mail.gmail.com>
References: <CAJsxnXY7aHNf7dvG+QLVqziWQe8HLHbFbttN-vNsai-MbOVCMA@mail.gmail.com>
	<CAN6yY1v1O9QiN3bAZ3jPJvzX=xsLAauSXJJjwhrZPYSnBfK_uw@mail.gmail.com>
Date: Thu, 15 Mar 2012 09:04:23 +0700
Message-ID: <CAJsxnXaXG_9UV-MTeij=PSY4e0abKbmqW6QMWMph9UUTTCNMRg@mail.gmail.com>
From: "nyoman.bogi@gmail.com" <nyoman.bogi@gmail.com>
To: Kevin Oberman <kob6558@gmail.com>
Content-Type: text/plain; charset=ISO-8859-1
X-Content-Filtered-By: Mailman/MimeDel 2.1.5
Cc: freebsd-net@freebsd.org
Subject: Re: firewall stuck
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 15 Mar 2012 02:04:34 -0000

thanks Kevin,
this is my "ipfw show" :

00100  4352617  2413620288 allow ip from any to any via lo0
00200        0           0 deny ip from any to 127.0.0.0/8
00300        0           0 deny ip from 127.0.0.0/8 to any
00400        0           0 deny ip from any to ::1
00500        0           0 deny ip from ::1 to any
00600    54387     5454184 allow icmp from any to any
00700  3142231  1681082246 allow ip from 10.1.1.28 to 10.1.1.0/26
00800  4659459  4478397111 allow ip from 10.1.1.0/26 to 10.1.1.28
00900        0           0 check-state
01000   137997    89083135 allow tcp from 10.1.1.28 to any setup keep-state
01100        0           0 allow tcp from 10.16.10.84 to any setup
keep-state
01150   401205   276677828 allow tcp from any to 10.1.1.28 dst-port 22
setup keep-state
01200   245718    44249729 allow udp from 10.1.1.28 to any keep-state
01300  5876930   239194755 allow tcp from any to any established
01400        0           0 allow tcp from any to 10.1.1.28 dst-port 389
setup keep-state
01500 26341187 22030370786 allow tcp from any to 10.1.1.28 dst-port 80
setup keep-state
01600    80945    61013964 allow tcp from any to 10.1.1.28 dst-port 443
setup keep-state
01700        0           0 allow tcp from 10.1.1.2 to 10.1.1.28 dst-port 22
setup keep-state
01800   149642    97939477 allow tcp from any to 10.1.1.28 dst-port 25
setup keep-state
01900      140        7501 allow tcp from 10.1.0.0/16 to 10.1.1.28 dst-port
110 setup keep-state
02000  1677982    89212845 allow tcp from any to 10.1.1.28 dst-port 110
setup keep-state
02100     8996      432096 deny tcp from any to any setup
02200   244111    24117256 allow udp from any to 10.1.1.28 dst-port 53
keep-state
02300        0           0 allow udp from any to 10.1.1.12 dst-port 53
keep-state
65535     4610     1422974 deny ip from any to any

I use FreeBSD 8.2 :
FreeBSD 8.2-RELEASE (GENERIC) #0: Fri Feb 18 02:24:46 UTC 2011

the problem start after I add rule 01150

On Wed, Mar 14, 2012 at 1:12 PM, Kevin Oberman <kob6558@gmail.com> wrote:

> On Tue, Mar 13, 2012 at 7:27 PM, nyoman.bogi@gmail.com
> <nyoman.bogi@gmail.com> wrote:
> > dear guru,
> >
> > every time I open my firewall to allow SSH connection from Internet
> > after few days my firewall always stuck. Stuck in here meaning
> > that it deny all request (deny any from any).
> > And after I "ipfw disable firewall" and then "ipfw enable firewall"
> > everything works fine
> >
> > when I checked /var/log/messages I found lots of attempts
> > people try to connect to my machine.
> > why my machine get stuck when lots of people try to SSH to my machine?
>
> We need a bit more information, especially your ipfw configuration. Is
> it a statefull firewall? It sounds a lot like your state table might
> be filling for some reason. Of course, if it is not a statefull
> firewall, that idea is probably wrong, though it could be a
> misconfiguration of some statefull rule that is inadvertently catching
> the SSH attempts.
>
> Have you done an 'ipfw show' to see what rules are being matched? it
> may or may not provide a clue.
> --
> R. Kevin Oberman, Network Engineer
> E-mail: kob6558@gmail.com
>



-- 
-------------------------------
Bogi Aditya
Sisfo - IMTelkom
http://bogi.blog.imtelkom.ac.id