From owner-freebsd-questions@FreeBSD.ORG Thu Apr 20 04:14:57 2006 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0795916A403 for ; Thu, 20 Apr 2006 04:14:57 +0000 (UTC) (envelope-from infofarmer@gmail.com) Received: from nz-out-0102.google.com (nz-out-0102.google.com [64.233.162.205]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8720643D45 for ; Thu, 20 Apr 2006 04:14:56 +0000 (GMT) (envelope-from infofarmer@gmail.com) Received: by nz-out-0102.google.com with SMTP id l8so35394nzf for ; Wed, 19 Apr 2006 21:14:56 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=K675wCFxcr6CLPz3LqWsjHIqzmaO1EaQ01XZLMjFb+qrInIuAZl8V3zUDDYK0YiuDIoo/nyY+cb87aiA6J1CVQ3IltmrofZKQ1i+DEjiN7kQHu/wzgkCjH1ryKdTwwgYUAHof2RuCPlVkrOGvecTLQtY7v/I/VJR/j6qAiZng6Y= Received: by 10.36.96.16 with SMTP id t16mr175089nzb; Wed, 19 Apr 2006 21:14:56 -0700 (PDT) Received: by 10.37.22.74 with HTTP; Wed, 19 Apr 2006 21:14:55 -0700 (PDT) Message-ID: Date: Thu, 20 Apr 2006 08:14:55 +0400 From: "Andrew Pantyukhin" To: "Drew Tomlinson" In-Reply-To: <4446D5A4.8030502@mykitchentable.net> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline References: <8921D35B-1F12-4212-9B62-0CC1CC8F5AE5@allresearch.com> <4446D5A4.8030502@mykitchentable.net> Cc: Noah Silverman , freebsd-questions@freebsd.org Subject: Re: IPFW Problems X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 20 Apr 2006 04:14:57 -0000 On 4/20/06, Drew Tomlinson wrote: > On 4/17/2006 2:29 PM Noah Silverman wrote: > > Hi, > > > > I have a system with a 4.11 Kernel. Unless I'm doing something very > > wrong, there seems to be something odd with ipfw. > > > > Take the following rules: > I assume above this you have "ipfw add check-state" defined? This is > the rule that's required to get ipfw to check its dynamic rule set. > Without it, "keep-state" rules will never work. No, this is not required. The dynamic rules are checked at first keep-state or limit, too. > > ipfw add 00280 allow tcp from any to any 22 out via bge0 setup keep-sta= te > > ipfw add 00299 deny log all from any to any out via bge0 > > ipfw add 0430 allow log tcp from any to me 22 in via bge0 setup limit > > src-addr 2 > I think this line is your problem. "setup" matches the initial packet > with the syn flag set. However since you have not added "keep-state", > no rule gets added to the dynamic rule set for this connection. > Subsequent packets don't match because "syn" is not set. Thus they hit > rule 499 and are denied. Yes. 'setup' is from "semi-stateful" firewall functionality while 'keep-state' is from fully stateful one. You can't use both in one rule without strange consequences. Just delete 'setup' words in both rules - it'll probably be fine.