Date: Tue, 07 Sep 2004 17:03:07 +0200 From: Ian FREISLICH <if@hetzner.co.za> To: George S <c0sine@yahoo.com> Cc: freebsd-net@freebsd.org Subject: Re: ipfw dynamic tcp rule issue Message-ID: <E1C4hUx-0007tW-00@hetzner.co.za> In-Reply-To: Your message of "Tue, 07 Sep 2004 05:36:00 MST." <20040907123600.11325.qmail@web40405.mail.yahoo.com>
next in thread | previous in thread | raw e-mail | index | archive | help
George S wrote: > Hi Ian, > > Thanks for your response. > > Yes, the behaviour is exactly as I describe. What happens is that on its way > back, the SYN+ACK packet with DST IP/PORT 10.0.0.2 and SRC IP/PORT > 69.196.154.5/80 hits rule #1 where there is a keep-state. This causes ipfw > to check all dynamic rules implicitly (as per the ipfw manpage). > > Since the SYN+ACK packet is part of a recently setup connection, there is a > skipto to rule #10. Rule #10 does not match because there SRC/DST are not > correct, so it then passes to rule #11, which does match (and its counters > are updated). > > The problem is that the packet never finds itself on the fxp0 wire. I will > give your check-state suggestion a try but I think the check-state is > implicit within rule #1. I thought you had to explicitly state the check-state. Anyway, I've just noticed that your last rule is #65655 which is higher than the max for an unsigned short. Depending how this overflow is handled, you might get odd behaviour. This might just result in the packet being denied by the default deny rule on the way out of fxp0. Try adding a rule just before the default deny to log matches. It's almost always useful to do this anyway when playing with the ruleset until everything works. I would have done the rules as follows: ipfw add 00010 fwd 10.0.0.1 tcp from 10.0.0.2 to any in via fxp0 ipfw add 00020 fwd 192.168.1.1 tcp from any to 10.0.0.2 in via fxp1 ipfw add 65534 allow ip from any to any Is there any particular reason for wanting a stateful firewall in this case? Ian -- Ian Freislich
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?E1C4hUx-0007tW-00>