From owner-freebsd-ipfw@FreeBSD.ORG  Tue Sep  7 12:36:01 2004
Return-Path: <owner-freebsd-ipfw@FreeBSD.ORG>
Delivered-To: freebsd-ipfw@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 2BAE516A4CE
	for <freebsd-ipfw@freebsd.org>; Tue,  7 Sep 2004 12:36:01 +0000 (GMT)
Received: from web40405.mail.yahoo.com (web40405.mail.yahoo.com
	[66.218.78.102])	by mx1.FreeBSD.org (Postfix) with SMTP id E9FB343D39
	for <freebsd-ipfw@freebsd.org>; Tue,  7 Sep 2004 12:36:00 +0000 (GMT)
	(envelope-from c0sine@yahoo.com)
Message-ID: <20040907123600.11325.qmail@web40405.mail.yahoo.com>
Received: from [69.196.154.220] by web40405.mail.yahoo.com via HTTP;
	Tue, 07 Sep 2004 05:36:00 PDT
Date: Tue, 7 Sep 2004 05:36:00 -0700 (PDT)
From: George S <c0sine@yahoo.com>
To: Ian FREISLICH <if@hetzner.co.za>
In-Reply-To: <E1C4aGe-0005bD-00@hetzner.co.za>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
cc: freebsd-ipfw@freebsd.org
cc: freebsd-net@freebsd.org
Subject: Re: ipfw dynamic tcp rule issue 
X-BeenThere: freebsd-ipfw@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: IPFW Technical Discussions <freebsd-ipfw.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
	<mailto:freebsd-ipfw-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ipfw>
List-Post: <mailto:freebsd-ipfw@freebsd.org>
List-Help: <mailto:freebsd-ipfw-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
	<mailto:freebsd-ipfw-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 07 Sep 2004 12:36:01 -0000

Hi Ian,

Thanks for your response.

Yes, the behaviour is exactly as I describe. What happens is that on its way
back, the SYN+ACK packet with DST IP/PORT 10.0.0.2 and SRC IP/PORT
69.196.154.5/80 hits rule #1 where there is a keep-state. This causes ipfw
to check all dynamic rules implicitly (as per the ipfw manpage).

Since the SYN+ACK packet is part of a recently setup connection, there is a
skipto to rule #10. Rule #10 does not match because there SRC/DST are not
correct, so it then passes to rule #11, which does match (and its counters
are updated).

The problem is that the packet never finds itself on the fxp0 wire. I will
give your check-state suggestion a try but I think the check-state is
implicit within rule #1.

Kindest regards,

George


--- Ian FREISLICH <if@hetzner.co.za> wrote:

> George S wrote:
> > Hello all,
> > 
> > I've been having some trouble with this strange ipfw configuration and I
> am
> > pretty sure it is probably a bug. I posted a note to freebsd-ipfw a
> little
> > while ago, but I think the problem is better demonstrated with a figure.
> http://www.geocities.com/c0sine/fbsdipfw.gif
> Are you sure that you perormed the test you described and the results
> (count updated etc) actually occured?  I would expect rule 9 to
> catch the packet on its way back and rule 11 never to be triggered.
> 
> Maybe rule 9 should be a checkstate rule.
> 
> Ian
> 
> --
> Ian Freislich
> 



		
_______________________________
Do you Yahoo!?
Express yourself with Y! Messenger! Free. Download now. 
http://messenger.yahoo.com