From owner-freebsd-security  Thu Oct  3  2: 5:34 2002
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id A7F3137B401
	for <freebsd-security@FreeBSD.ORG>; Thu,  3 Oct 2002 02:05:31 -0700 (PDT)
Received: from www.wsf.at (MAIL.WSF.AT [212.16.37.103])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 37E3C43E42
	for <freebsd-security@FreeBSD.ORG>; Thu,  3 Oct 2002 02:05:30 -0700 (PDT)
	(envelope-from net@wsf.at)
Received: (from root@localhost)
	by www.wsf.at (8.11.6/8.9.3) id g9395SL99886
	for freebsd-security@FreeBSD.ORG.KAV; Thu, 3 Oct 2002 11:05:28 +0200 (CEST)
	(envelope-from net@wsf.at)
Received: from wsf.at (localhost [127.0.0.1])
	by www.wsf.at (8.11.6/8.9.3) with SMTP id g9395RY99870;
	Thu, 3 Oct 2002 11:05:27 +0200 (CEST)
	(envelope-from net@wsf.at)
Message-Id: <200210030905.g9395RY99870@www.wsf.at>
Date: Thu, 3 Oct 2002 09:05:27 -0000
To: "Aragon Gouveia" <aragon@phat.za.net>,
	<freebsd-security@FreeBSD.ORG>
Subject: Re: ipfw failing to "check-state"
From: "Thomas Wolf" <net@wsf.at>
X-Mailer: TWIG 2.6.2
In-Reply-To: <20021003080725.GF46789@phat.za.net>
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

Aragon Gouveia <aragon@phat.za.net> schrieb:

> Hi,
> 
> I've recently installed 4.7-RC from sources. I'm having difficulty getting
> dynamic rules working with ipfw. Here is the output from 'ipfw -d show' :
> 
> 00100        0          0 check-state
> 01000      574     354032 allow tcp from any to 66.8.x.y 25 keep-state setup
> 65535 11589448 7623002626 allow ip from any to any
> ## Dynamic rules:
> 01000 397 312298 (T 299, slot 77) <-> tcp, 66.8.x.y 32145<-> 66.8.x.y 25
> 01000 13 572 (T 297, slot 97) <-> tcp, 196.26.x.y 1781<-> 66.8.x.y 25
> 01000 5 216 (T 297, slot 187) <-> tcp, 196.36.x.y 1525<-> 66.8.x.y 25
> 01000 21 1566 (T 299, slot 196) <-> tcp, 66.8.x.y 3794<-> 66.8.x.y 25
> 
> 
> As can be seen above, no traffic is matching rule 100 as it should. If it
> weren't for my default allow rule, smtp connections would not work to the
> machine specified in rule 1000.
> 
> I'm using IPFW1, not IPFW2. I posted to questions@ yesterday but have
> received no response so far. This looks very much like an ipfw bug but I
> wanted to confirm it here before PR'ing. Has anyone else experienced this?
> 
> 
> Thanks,
> Aragon

Hi,

Are you sure the traffic from 66.8.x.y 25 would be blocked without
your default rule ? Regarding the counter on rule 100, 
AFAIR ipfw did(does) never increment on the check-state rule but 
on the 'parent' rule). From your example, everything looks just fine 
and the temporary rules seem to be ok. Try adding 
1001 count tcp from 66.8.x.y 25 to any
I am sure you will never see traffic at this point.

regards
Thomas

P.S.: I just tried:
00001 check-state
00002 allow tcp from any to 212.16.37.103 25 keep-state setup
00003 deny ip from any to any via ed0
and it worked just fine.
The only difference is that I am running 4.6.2












To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message