Date: Tue, 7 Sep 2004 05:36:00 -0700 (PDT) From: George S <c0sine@yahoo.com> To: Ian FREISLICH <if@hetzner.co.za> Cc: freebsd-net@freebsd.org Subject: Re: ipfw dynamic tcp rule issue Message-ID: <20040907123600.11325.qmail@web40405.mail.yahoo.com> In-Reply-To: <E1C4aGe-0005bD-00@hetzner.co.za>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi Ian, Thanks for your response. Yes, the behaviour is exactly as I describe. What happens is that on its way back, the SYN+ACK packet with DST IP/PORT 10.0.0.2 and SRC IP/PORT 69.196.154.5/80 hits rule #1 where there is a keep-state. This causes ipfw to check all dynamic rules implicitly (as per the ipfw manpage). Since the SYN+ACK packet is part of a recently setup connection, there is a skipto to rule #10. Rule #10 does not match because there SRC/DST are not correct, so it then passes to rule #11, which does match (and its counters are updated). The problem is that the packet never finds itself on the fxp0 wire. I will give your check-state suggestion a try but I think the check-state is implicit within rule #1. Kindest regards, George --- Ian FREISLICH <if@hetzner.co.za> wrote: > George S wrote: > > Hello all, > > > > I've been having some trouble with this strange ipfw configuration and I > am > > pretty sure it is probably a bug. I posted a note to freebsd-ipfw a > little > > while ago, but I think the problem is better demonstrated with a figure. > http://www.geocities.com/c0sine/fbsdipfw.gif > Are you sure that you perormed the test you described and the results > (count updated etc) actually occured? I would expect rule 9 to > catch the packet on its way back and rule 11 never to be triggered. > > Maybe rule 9 should be a checkstate rule. > > Ian > > -- > Ian Freislich > _______________________________ Do you Yahoo!? Express yourself with Y! Messenger! Free. Download now. http://messenger.yahoo.com
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040907123600.11325.qmail>