From owner-freebsd-ipfw@FreeBSD.ORG Sat Jan 29 20:52:30 2005 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 16F2316A4CE for ; Sat, 29 Jan 2005 20:52:29 +0000 (GMT) Received: from smtp-vbr2.xs4all.nl (smtp-vbr2.xs4all.nl [194.109.24.22]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1893143D31 for ; Sat, 29 Jan 2005 20:52:29 +0000 (GMT) (envelope-from gmeijer@palmweb.nl) Received: from guus (simoon.xs4all.nl [213.84.111.205]) by smtp-vbr2.xs4all.nl (8.12.11/8.12.11) with SMTP id j0TKqR6q044784 for ; Sat, 29 Jan 2005 21:52:27 +0100 (CET) (envelope-from gmeijer@palmweb.nl) Message-ID: <084c01c50644$d5e87010$9600000a@guus> From: "Gerard Meijer" To: Date: Sat, 29 Jan 2005 21:55:16 +0100 MIME-Version: 1.0 X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2900.2180 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180 X-Virus-Scanned: by XS4ALL Virus Scanner Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.1 Subject: ipfw statefull ruleset problem X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 29 Jan 2005 20:52:30 -0000 Hi everyone, First of all, I'm not very experienced with ipfw, so if this is a stupid = question, I'm sorry. I have a question regarding my statefull ipfw ruleset. I have the = following rules: ---begin--- $cmd 00015 check-state #www $cmd 00200 allow tcp from any to any 80 out via $pif setup keep-state #mail $cmd 00231 allow tcp from any to any 110 out via $pif setup keep-state #ftp $cmd 00283 allow tcp from any to any 21 out via $pif setup keep-state # Allow in standard www function because I have apache server $cmd 00400 allow tcp from any to me 80 in via $pif setup limit src-addr = 2 # Allow in FTP $cmd 00410 allow tcp from any to me 21 in via $pif setup limit src-addr = 2 # Allow in mail $cmd 00420 allow tcp from any to me 110 in via $pif ---end--- (there are more rules, but these are the ones that it's about) The problem that I'm having is that I can't check mail, and can't FTP = and see a lot of: ipfw: 299 Deny TCP [my-server-ip]:80 [some-ip]:[some-port-other-than-80] = out via em0 messages in my logfile. When I try to check mail I see in my log: ipfw: 299 Deny TCP [my-server-ip]:110 = [my-home-pc-ip]:[some-port-other-than-110] out via em0 What happens (I think, as far as I understand ipfw), there is an = connection setup on port 21/80/110 (ftp/http/mail), which is allowed by = the rules. A dynamic rules is created, but then the other computer = switches ports. The check-state command checks for a dynamic rule, but = the port doesn't match anymore and so it doesn't find a dynamic rule and = the other rules also don't apply, since they only allow connection = initialization. Am I correct? I can solve all this by putting in the rule: # $cmd 00020 allow tcp from any to any established But I learned that that is not the right way to do this in a statefull = ruleset, because the dynamic rules don't have any use in this way. So = what is the right way to solve this? Thanks a lot in advance!