From owner-freebsd-questions  Wed Jan 30 11:25:36 2002
Delivered-To: freebsd-questions@freebsd.org
Received: from omahpop2.omah.uswest.net (omahpop2.omah.uswest.net [204.26.64.2])
	by hub.freebsd.org (Postfix) with SMTP id 2E7C137B405
	for <freebsd-questions@freebsd.org>; Wed, 30 Jan 2002 11:25:34 -0800 (PST)
Received: (qmail 5580 invoked by alias); 30 Jan 2002 19:25:32 -0000
Delivered-To: fixup-freebsd-questions@freebsd.org@fixme
Received: (qmail 5566 invoked by uid 0); 30 Jan 2002 19:25:32 -0000
Received: from omah6400gw2poolc106.omah.uswest.net (HELO kristen.shadowdale.net) (63.227.158.106)
  by omahpop2.omah.uswest.net with SMTP; 30 Jan 2002 19:25:32 -0000
Date: Wed, 30 Jan 2002 13:25:32 -0600 (CST)
From: Bovine Unit #243 <bov243@yahoo.com>
To: FreeBSD Questions <freebsd-questions@freebsd.org>
Subject: reset TCP in ipfw
Message-ID: <Pine.BSF.4.43.0201301310490.55714-100000@kristen.shadowdale.net>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-questions.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-questions>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-questions>
X-Loop: FreeBSD.ORG

I was looking through ipfw log this morning and saw the "reset tcp" rule
in action. A flood of tcp packets from some Winblows app was bombarding to
port 1214. Anyway, since it wasn't matched to any rules present, it came
to the last two TCP rules I had:

...
10000 divert 6668 ip from any to any via fxp0
...
49990 reset tcp log from any to any in recv fxp0
49999 deny  tcp log from any to any in recv fxp0

Well, the problem with that reset is that it's being blocked by the very
next rule. Dang! I did not know firewall would block its own action.
Hmm...

I thought about the fix. Well, I really don't want to have open ports out
as the next rule since I want to catch any misbehaving Winblows' "ET
phone home" programs. And the rule can't be moved to the beginning (or
towards the beggining of the ruleset) since it's suppose to catch tcp
packets that didn't get a match in the ruleset.

Well, that's a bugger. What is the proper way to use the reset action?


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message