From owner-freebsd-questions Tue Jan 22 18:18:53 2002 Delivered-To: freebsd-questions@freebsd.org Received: from mail8.mgfairfax.rr.com (fe8.southeast.rr.com [24.93.67.55]) by hub.freebsd.org (Postfix) with ESMTP id 0C65E37B404 for ; Tue, 22 Jan 2002 18:18:48 -0800 (PST) Received: from there ([24.163.113.25]) by mail8.mgfairfax.rr.com with Microsoft SMTPSVC(5.5.1877.687.68); Tue, 22 Jan 2002 20:27:57 -0500 Content-Type: text/plain; charset="iso-8859-1" From: Ray Kohler To: Scott Nolde Subject: Re: Some questions about ipfw Date: Tue, 22 Jan 2002 20:31:12 -0500 X-Mailer: KMail [version 1.3.2] Cc: References: <20020122200126.A48937-100000@bsd.smnolde.com> In-Reply-To: <20020122200126.A48937-100000@bsd.smnolde.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Message-ID: <097f55727011712FE8@mail8.mgfairfax.rr.com> Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Tuesday 22 January 2002 08:04 pm, Scott Nolde wrote: > Thus sayeth the previous author: > >Date: Tue, 22 Jan 2002 19:33:06 -0500 > >From: Ray Kohler > >To: freebsd-questions@FreeBSD.ORG > >Subject: Some questions about ipfw > > >I have 3 questions: > > > >1) Why does the rc.firewall script use "setup" and > > "established" rules for tcp instead of keep-state like it does > > for udp? > > Setup will allow the SYN packet through and established lets the > rest of the session's packets through. Sure, that's what the man page says, but what's the advantage of one over the other? > >3) I'm having trouble fetching ports even with > >FETCH_CMD= fetch -p set in make.conf. Eventually I get the > > file, but not until after a lot of servers are tried. In my > > logs I see a lot of: > > > >Jan 22 18:19:47 B1M1X9 /kernel: ipfw: 600 Deny TCP > > 199.232.41.9:20167 24.163.113.25:1039 in via rl0 Jan 22 > > 18:19:49 B1M1X9 /kernel: ipfw: 600 Deny TCP 130.94.149.162:21 > > 24.163.113.25:1032 in via rl0 Jan 22 18:19:59 B1M1X9 /kernel: > > ipfw: 600 Deny TCP 199.232.41.9:20167 24.163.113.25:1039 in > > via rl0 Jan 22 18:20:23 B1M1X9 /kernel: ipfw: 600 Deny TCP > > 199.232.41.9:20167 24.163.113.25:1039 in via rl0 > > > >where the "from" IPs belong to the about a dozen ftp servers > > I've tried, and the packet arrives a few minutes after fetch > > has given up on that server. (Why are these servers contacting > > me anyway when I'm using passive ftp, anyway?) > > This is a normal response after instituting the rules you've set > forth. You mean difficulty fetching distfiles? packets arriving late? random active ftp? packets like these being denied? What? (Sorry about the tone of this; I guess I'm a bit flabbergasted.) -- Ray Kohler Mother is far too clever to understand anything she does not like. -- Arnold Bennett To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message