From owner-freebsd-security  Thu Oct  3  2:38:44 2002
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 36DAE37B401
	for <freebsd-security@FreeBSD.ORG>; Thu,  3 Oct 2002 02:38:42 -0700 (PDT)
Received: from mail.geek.sh (decoder.geek.sh [196.36.198.81])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 1434143E6A
	for <freebsd-security@FreeBSD.ORG>; Thu,  3 Oct 2002 02:38:40 -0700 (PDT)
	(envelope-from aragon@geek.sh)
Received: by mail.geek.sh (Postfix, from userid 1000)
	id C071824EF9; Thu,  3 Oct 2002 11:38:35 +0200 (SAST)
Date: Thu, 3 Oct 2002 11:38:35 +0200
From: Aragon Gouveia <aragon@phat.za.net>
To: freebsd-security@FreeBSD.ORG
Subject: Re: ipfw failing to "check-state"
Message-ID: <20021003093835.GG46789@phat.za.net>
Mail-Followup-To: freebsd-security@FreeBSD.ORG
References: <20021003080725.GF46789@phat.za.net> <200210030905.g9395RY99870@www.wsf.at>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <200210030905.g9395RY99870@www.wsf.at>
User-Agent: Mutt/1.4i
X-Operating-System: FreeBSD 4.6-RC i386
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

| By Thomas Wolf <net@wsf.at>
|                                          [ 2002-10-03 11:05 +0200 ]
> Are you sure the traffic from 66.8.x.y 25 would be blocked without
> your default rule ? Regarding the counter on rule 100, 
> AFAIR ipfw did(does) never increment on the check-state rule but 
> on the 'parent' rule). From your example, everything looks just fine 
> and the temporary rules seem to be ok. Try adding 
> 1001 count tcp from 66.8.x.y 25 to any
> I am sure you will never see traffic at this point.

I think you're right. I added the count rule after the keep-state rule and
the counters didn't increment. I can't check with a deny just yet, but in
theory traffic shouldn't be blocked.

I must have been doing something braindead yesterday that caused connections
to be blocked. I assumed it was a problem with check-state when the
counters weren't incrementing. :)


Thanks,
Aragon

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message