Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 11 Apr 2003 07:55:34 -0700 (PDT)
From:      "Earl A. Killian" <>
Subject:   dynamic rules, FIN lifetime
Message-ID:  <>

Next in thread | Raw E-Mail | Index | Archive | Help
I am looking for suggestions on how to debug a firewall that uses
dynamic rules and is generating some log messages that I don't expect.

Briefly, I have the following snippet for packets orginating on the
firewall host being output on the external interface xl1:

  add 3100 check-state
  add 3200 allow udp from any to any domain,ntp,kerberos,6277 keep-state
  add 3300 allow udp from any to any 33434-33494 keep-state
  add 3400 allow tcp from any to any setup keep-state
  add 3500 allow icmp from any to any keep-state
  add 3600 deny log all from any to any

I am seeing ipfw log messages in /var/log/security such as
  Apr 11 00:08:11 gate /kernel: ipfw: 3600 Deny TCP out via xl1 
  Apr 11 00:08:42 gate last message repeated 4 times 
  Apr 11 00:09:09 gate /kernel: ipfw: 3600 Deny TCP out via xl1 
  Apr 11 00:09:14 gate /kernel: ipfw: 3600 Deny TCP out via xl1 

I picked the above because it is for SMTP, and so I can correlate with
/var/log/maillog.  (I run smtpd on port 25, not sendmail, so the log
format may be unfamiliar.)

  Apr 11 00:08:07 gate smtpd[61280]: SMTP HELO from as "" 
  Apr 11 00:08:07 gate smtpd[61280]: mail from <> 
  Apr 11 00:08:08 gate smtpd[61280]: smtp connection from MAIL FROM: <> RCPT TO: <EXCISED@EXCISED>, allowed by line 127 of /etc/smtpd_check_rules 
  Apr 11 00:08:08 gate smtpd[61280]: Recipient <EXCISED@EXCISED> 
  Apr 11 00:08:09 gate smtpd[61280]: Received 26296 bytes of message body from 

This was a spam delivery, as you might guess, but it is coming through
earthlink, so it should be a reasonable SMTP implementation.  The
message was delivered to the recipient (email address excised above
for privacy).  So it appears at 00:08:07 a SMTP connection was started
and it finished at 00:08:09 from the point of veiw of the application.
At 00:08:11 the firewall started rejecting packets the gateway was
still trying to send to the other side.  Is this because the host
tried to retransmit the FIN or something?  Note that
  net.inet.ip.fw.dyn_fin_lifetime: 1
is set to the default value.  Is this just too short?  If so, why
don't I see it when I run firewall_type=simple?

Comments?  Suggestions?

Want to link to this message? Use this URL: <>