Date: Fri, 4 Apr 2008 01:40:59 +0200 From: Erik Trulsson <ertr1013@student.uu.se> To: Ivan Voras <ivoras@freebsd.org> Cc: freebsd-net@freebsd.org Subject: Re: Trouble with IPFW or TCP? Message-ID: <20080403234059.GA53417@owl.midgard.homeip.net> In-Reply-To: <ft3phn$ai3$1@ger.gmane.org> References: <ft3phn$ai3$1@ger.gmane.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, Apr 04, 2008 at 01:34:07AM +0200, Ivan Voras wrote: > In which case would an ipfw ruleset like this: > > 00100 114872026 40487887607 allow ip from any to any via lo0 > 00200 0 0 deny ip from any to 127.0.0.0/8 > 00300 0 0 deny ip from 127.0.0.0/8 to any > 00600 1585 112576 deny ip from table(0) to me > 01000 90279 7325972 allow icmp from any to any > 05000 475961039 334422494257 allow tcp from me to any setup keep-state > 05100 634155 65779377 allow udp from me to any keep-state > 06022 409604 69177326 allow tcp from any to me dst-port 22 setup > keep-state > 06080 52159025 43182548092 allow tcp from any to me dst-port 80 setup > keep-state > 06443 6392366 2043532158 allow tcp from any to me dst-port 443 setup > keep-state > 07020 517065 292377553 allow tcp from any to me dst-port 8080 setup > keep-state > 65400 12273387 629703212 deny log ip from any to any > 65535 0 0 deny ip from any to any If you are using 'keep-state' should there not also be some rule containing 'check-state' ? > > Generate syslog messages like these: > > Apr 4 01:02:06 my.ip kernel: ipfw: 65400 Deny TCP xx.xx.xx.xx:60725 > my.ip.my.ip:443 in via em0 > Apr 4 01:02:06 my.ip kernel: ipfw: 65400 Deny TCP xx.xx.xx.xx:57387 > my.ip.my.ip:443 in via em0 > Apr 4 01:02:06 my.ip kernel: ipfw: 65400 Deny TCP xx.xx.xx.xx:57387 [snip] -- <Insert your favourite quote here.> Erik Trulsson ertr1013@student.uu.se
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20080403234059.GA53417>