From owner-freebsd-ipfw@FreeBSD.ORG Thu Aug 30 06:47:57 2007 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 06AB016A41A for ; Thu, 30 Aug 2007 06:47:57 +0000 (UTC) (envelope-from r.fulton@auckland.ac.nz) Received: from mailhost.auckland.ac.nz (moe.its.auckland.ac.nz [130.216.12.35]) by mx1.freebsd.org (Postfix) with ESMTP id A232613C459 for ; Thu, 30 Aug 2007 06:47:56 +0000 (UTC) (envelope-from r.fulton@auckland.ac.nz) Received: from localhost (localhost.localdomain [127.0.0.1]) by mailhost.auckland.ac.nz (Postfix) with ESMTP id 3849F4807EA for ; Thu, 30 Aug 2007 18:19:35 +1200 (NZST) X-Virus-Scanned: by amavisd-new at mailhost.auckland.ac.nz Received: from mailhost.auckland.ac.nz ([127.0.0.1]) by localhost (moe.its.auckland.ac.nz [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8uquuRYsN8Vo for ; Thu, 30 Aug 2007 18:19:35 +1200 (NZST) Received: from bluebottle.insec.auckland.ac.nz (bluebottle.insec.auckland.ac.nz [130.216.4.12]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mailhost.auckland.ac.nz (Postfix) with ESMTP id 19BFB4807ED for ; Thu, 30 Aug 2007 18:19:35 +1200 (NZST) Message-ID: <46D66176.9020300@auckland.ac.nz> Date: Thu, 30 Aug 2007 18:19:34 +1200 From: Russell Fulton User-Agent: Thunderbird 2.0.0.6 (Macintosh/20070728) MIME-Version: 1.0 To: freebsd-ipfw@freebsd.org X-Enigmail-Version: 0.95.3 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Subject: getting state to work properly X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 30 Aug 2007 06:47:57 -0000 Hi Folks I have a fair bit of experience with firewalls particularly pf and also iptables but I have never played with ipfw before. I have the ipfw man page and some of the free bsd tutorial stuff to consult -- all looks pretty straight forward. I have inherited a ipfw firewall which I am trying to make some changes to. The current rule set does not use state and is very difficult to understand as filtering is being done on many interfaces (four vlans representing the 'inside' and one physical interface being the 'outside'). In an attempt to impose some order I rewrote the rule set from scratch doing all the real filtering on the external interface and using state to keep track of connections. Today I had a two hour outage to try and make it work and totally failed. (I'm not really surprised...) My first question is "is there anyway of maintaining state over a rule reload?" One way of doing it would be to change the rule set number of the running rule set before loading the new rules. Is this possible? But this is in the "it would be nice category". More importantly I failed to make the state stuff work. State gets created -- ipfw -ad show shows the dynamic rules with numbers in both counters but the returning packets never appear on either the inbound or outbound interfaces (according to tcpdump). I have log logamount 0 on *all* denies but nothing is logged. I know, from monitoring traffic out side the firewall that the original packets are coming out and replies are being sent to the firewall where they silently vanish. Any ideas appreciated. My gut feeling is that I'm missing something basic. If anyone wants to have a look at the rule set I'm happy to mail it to them but I don't want it appearing in a public mail archive ;) Thanks, Russell. ISO, The University of Auckland, New Zealand.