From owner-freebsd-ipfw Wed Nov 15 9: 7:12 2000 Delivered-To: freebsd-ipfw@freebsd.org Received: from mail.biographix.com (unknown [207.236.111.133]) by hub.freebsd.org (Postfix) with ESMTP id E0F8C37B479 for ; Wed, 15 Nov 2000 09:07:09 -0800 (PST) Received: from bottleneck2000 ([192.168.1.12]) by mail.biographix.com (8.11.1/8.11.1) with SMTP id eAFH7ta49858 for ; Wed, 15 Nov 2000 12:07:56 -0500 (EST) Message-ID: <01cc01c04f26$f68bc300$0c01a8c0@bottleneck2000> From: "Elliott Perrin" To: Subject: Stateful rules Date: Wed, 15 Nov 2000 12:10:31 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2919.6700 X-MIMEOLE: Produced By Microsoft MimeOLE V5.00.2919.6700 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Quick question about the keep-state and check-state options in ipfw. I have been playing with stateful inspection on a test box and was wondering why I am getting no counter values associated with the check-state rule on this machine. Loads of counter values on the keep-state rules but none on the check-state. So I was wondering if this is "normal" or if there is something I am missing. The rules are as follows (this is not a live server , I just want to see stateful in action of some sort first on this test box) 100 check-state 200 allow tcp from any to any 80 300 allow tcp from any to any 25 keep-state 400 allow tcp from any to any 110 keep-state 500 allow tcp from any to any 119 keep-state The counters for 300 - 500 are increasing in a manner I would expect, but the counters for rule 100 stay the exact same, 0 and 0. I also noticed that when I had the rule 150 deny tcp from any to any established all connections to POP3 and SMTP are being denied, yet I thought that the check-state rule would allow this. I tried using setup in the same ruleset for the keep-state options and got the same result. eperrin@bigorbit.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Wed Nov 15 12:12:24 2000 Delivered-To: freebsd-ipfw@freebsd.org Received: from iguana.aciri.org (iguana.aciri.org [192.150.187.36]) by hub.freebsd.org (Postfix) with ESMTP id 08B1637B479 for ; Wed, 15 Nov 2000 12:12:18 -0800 (PST) Received: (from rizzo@localhost) by iguana.aciri.org (8.9.3/8.9.3) id MAA00340; Wed, 15 Nov 2000 12:12:08 -0800 (PST) (envelope-from rizzo) From: Luigi Rizzo Message-Id: <200011152012.MAA00340@iguana.aciri.org> Subject: Re: Stateful rules In-Reply-To: <01cc01c04f26$f68bc300$0c01a8c0@bottleneck2000> from Elliott Perrin at "Nov 15, 2000 12:10:31 pm" To: eperrin@bigorbit.com (Elliott Perrin) Date: Wed, 15 Nov 2000 12:12:08 -0800 (PST) Cc: freebsd-ipfw@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL43 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG > Quick question about the keep-state and check-state options > in ipfw. I have been playing with stateful inspection on a > test box and was wondering why I am getting no counter > values associated with the check-state rule on this machine. > Loads of counter values on the keep-state rules but none on > the check-state. So I was wondering if this is "normal" or this is the intended behaviour -- a dynamic rule increments the counters for the "parent" rule only. > if there is something I am missing. The rules are as follows > (this is not a live server , I just want to see stateful in > action of some sort first on this test box) > > 100 check-state > 200 allow tcp from any to any 80 > 300 allow tcp from any to any 25 keep-state > 400 allow tcp from any to any 110 keep-state > 500 allow tcp from any to any 119 keep-state > > The counters for 300 - 500 are increasing in a manner I > would expect, but the counters for rule 100 stay the exact > same, 0 and 0. > > I also noticed that when I had the rule > > 150 deny tcp from any to any established > > all connections to POP3 and SMTP are being denied, yet I this sounds strange. no idea. luigi To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message