Date: Fri, 18 Sep 1998 23:14:36 -0600 From: "Aaron D. Gifford" <agifford@infowest.com> To: questions@FreeBSD.ORG Subject: ipfw, fetch, "sendmsg: Permission denied", and tcpflag FIN weirdness - Answers anyone??? Message-ID: <36033DBC.8E2C96E5@infowest.com>
next in thread | raw e-mail | index | archive | help
Here's a fun one for y'all. Why does every TCP program I've used thus far work perfectly except for /usr/bin/fetch for fetching files with the HTTP protocol UNLESS I add an additional line to my rc.firewall config to permit outgoing tcp packets with the FIN flag set. Why fetch and nothing else? I've used telnet to grab web pages without the line. I've used perl scripts to grab web files as well using HTTP. Only fetch screams. Here's an example WITHOUT the extra FIN line in my rc.firewall config: # fetch http://www.some-site-somewhere.com/blah.gif fetch: sendmsg: www.some-site-somewhere.com: Permission denied # ipfw add 1450 permit tcp from <<my-ip-address>> to any out via tun0 tcpflag fin 01450 allow tcp from <<my-ip-address>> to any out xmit tun0 tcpflg fin # fetch http://www.some-site-somewhere.com/blah.gif Receiving blah.gif (2156 bytes): 100% 2156 bytes transfered in 0.2 seconds (12.28 Kbytes/s) Weird. Anyway, here's the system in question: System: P166 SCSI-based system OS: 2.2.7-STABLE as of 25 July 1998 Program: /usr/bin/fetch and the ipfw_mod.o LKM both updated as of 25 July 1998 Network: Userland PPP connection via modem to my ISP PORTION of /etc/rc.firewall: ============================ # Pass all localhost traffic via the loopback interface: /sbin/ipfw add pass all from any to any via ${loop} # Deny spoofed packets: /sbin/ipfw add deny log all from 127.0.0.0/8 to any /sbin/ipfw add deny log all from any to 127.0.0.0/8 /sbin/ipfw add deny log all from ${ip} to any in via ${extern} /sbin/ipfw add deny log all from 192.168.0.0:255.255.0.0 to any /sbin/ipfw add deny log all from 172.16.0.0:255.240.0.0 to any /sbin/ipfw add deny log all from 10.0.0.0:255.0.0.0 to any # Deny everything else via the loopback: /sbin/ipfw add deny all from any to any via ${loop} # Pass established TCP connections: /sbin/ipfw add pass tcp from any to ${ip} in via ${extern} established /sbin/ipfw add pass tcp from ${ip} to any out via ${extern} established # Pass outgoing new TCP session setup packets: /sbin/ipfw add pass tcp from ${ip} to any setup ###### STRANGE WEIRD FIN work-around so fetch will work: $fwcmd add pass tcp from ${ip} to any tcpflag fin # Pass new incoming HTTP connections: /sbin/ipfw add pass tcp from any to ${ip} 80 in via ${extern} setup # Deny all other TCP packets: /sbin/ipfw add deny log tcp from any to any <<additional /etc/rc.firewall config snipped>> Thanks for any/all comments. Aaron out. www.eq.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?36033DBC.8E2C96E5>