Skip site navigation (1)Skip section navigation (2) 
Date:      Sat, 29 Jan 2005 21:55:16 +0100
From:      "Gerard Meijer" <gmeijer@palmweb.nl>
To:        <freebsd-ipfw@freebsd.org>
Subject:   ipfw statefull ruleset problem
Message-ID:  <084c01c50644$d5e87010$9600000a@guus>
next in thread | raw e-mail | index | archive | help 
Hi everyone,

First of all, I'm not very experienced with ipfw, so if this is a stupid =
question, I'm sorry.

I have a question regarding my statefull ipfw ruleset. I have the =
following rules:

---begin---
$cmd 00015 check-state

#www
$cmd 00200 allow tcp from any to any 80 out via $pif setup keep-state

#mail
$cmd 00231 allow tcp from any to any 110 out via $pif setup keep-state

#ftp
$cmd 00283 allow tcp from any to any 21 out via $pif setup keep-state

# Allow in standard www function because I have apache server
$cmd 00400 allow tcp from any to me 80 in via $pif setup limit src-addr =
2

# Allow in FTP
$cmd 00410 allow tcp from any to me 21 in via $pif setup limit src-addr =
2

# Allow in mail
$cmd 00420 allow tcp from any to me 110 in via $pif
---end---
(there are more rules, but these are the ones that it's about)

The problem that I'm having is that I can't check mail, and can't FTP =
and see a lot of:

ipfw: 299 Deny TCP [my-server-ip]:80 [some-ip]:[some-port-other-than-80] =
out via em0

messages in my logfile.

When I try to check mail I see in my log:

ipfw: 299 Deny TCP [my-server-ip]:110 =
[my-home-pc-ip]:[some-port-other-than-110] out via em0

What happens (I think, as far as I understand ipfw), there is an =
connection setup on port 21/80/110 (ftp/http/mail), which is allowed by =
the rules. A dynamic rules is created, but then the other computer =
switches ports. The check-state command checks for a dynamic rule, but =
the port doesn't match anymore and so it doesn't find a dynamic rule and =
the other rules also don't apply, since they only allow connection =
initialization. Am I correct?

I can solve all this by putting in the rule:

# $cmd 00020 allow tcp from any to any established

But I learned that that is not the right way to do this in a statefull =
ruleset, because the dynamic rules don't have any use in this way. So =
what is the right way to solve this?

Thanks a lot in advance!

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?084c01c50644$d5e87010$9600000a>