Date: Tue, 10 May 2005 16:36:35 +1000 From: Simon Litchfield <simon@quo.com.au> To: freebsd-ipfw@freebsd.org Cc: Joshua Paech <josh@slicmedia.com> Subject: IPFW2 statefulness over bridge? Message-ID: <42805673.2070401@quo.com.au>
next in thread | raw e-mail | index | archive | help
Hi. We've noticed ipfw2 doesnt seem to maintain state on outgoing connections over our bridge (running 5.3 generic). A similar configuration worked fine using pf on openbsd. Are we missing something? Here's the guts of our rule script -- .... some init stuff here ..... # allow arps (oh yeah, this is important) ipfw add allow layer2 mac-type arp # deny spurious source addresses and spoof attempts ipfw add deny log all from $addr_rfc1918 to any in via $ext_if ipfw add deny log all from any to $addr_rfc1918 out via $ext_if ipfw add deny log all from 'table(0)' to any in via $ext_if ipfw add deny log all from any to 'table(0)' out via $ext_if ipfw add deny log all from me to any in via $ext_if # deny illegal TCP flag combinations ipfw add deny log tcp from any to any tcpflags fin,urg,psh ipfw add deny log tcp from any to any tcpflags syn,fin,rst,ack ipfw add deny log tcp from any to any tcpflags '!syn,!fin,!ack' .... a bunch of allows for the usual tcp/udp ports like 80 etc to various servers 'inside' the bridged network go here .... # leave the inside of the firewall open ipfw add allow layer2 via $int_if # allow loopback ipfw add allow ip from 127.0.0.0/8 to 127.0.0.0/8 # allow firewalled address to make any outgoing connections ipfw add allow ip from 'table(0)' to any setup keep-state ipfw add allow ip from me to any setup keep-state # firewalling UDP is pretty pointless ipfw add allow udp from any to any # final denys ipfw add allow icmp from any to any ipfw add allow tcp from any to any setup keep-state ipfw add allow ip from any to any etup keep-state ipfw add reset tcp from any to any ipfw add unreach port udp from any to any ipfw add deny log ip from any to any -- Quo Consulting info@quo.com.au http://www.quo.com.au/ Phone +61 (0)7 5520 2665 Fax +61 (0)2 8569 2377 Level 3 : Old Burleigh Theatre Arcade 66 Goodwin Terrace : Burleigh Heads Queensland : Australia
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?42805673.2070401>