From owner-freebsd-questions@FreeBSD.ORG Fri Oct 1 08:48:48 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3AEA116A4CE; Fri, 1 Oct 2004 08:48:48 +0000 (GMT) Received: from inertia.drifthost.com (inertial.drifthost.com [66.90.101.6]) by mx1.FreeBSD.org (Postfix) with ESMTP id EEFCD43D45; Fri, 1 Oct 2004 08:48:47 +0000 (GMT) (envelope-from steve@drifthost.com) Received: from dsl-203-142-133-217.syd.directcorp.net.au ([203.142.133.217] helo=Steve) by inertia.drifthost.com with esmtpa (Exim 4.42 (FreeBSD)) id 1CDJ5s-000C5I-LD; Fri, 01 Oct 2004 18:48:49 +1000 From: "Steven Adams" To: "'Subhro'" , Date: Fri, 1 Oct 2004 18:50:11 +1000 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook, Build 11.0.5510 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1409 In-Reply-To: Thread-Index: AcSm+tilFl7qRld1Q1WRC1690vee1AAmJp/g X-AntiAbuse: This header was added to track abuse, please include it with any abuse report X-AntiAbuse: Primary Hostname - inertia.drifthost.com X-AntiAbuse: Original Domain - freebsd.org X-AntiAbuse: Originator/Caller UID/GID - [0 0] / [26 6] X-AntiAbuse: Sender Address Domain - drifthost.com X-Source: X-Source-Args: X-Source-Dir: Message-Id: <20041001084847.EEFCD43D45@mx1.FreeBSD.org> cc: freebsd-questions@freebsd.org Subject: RE: IPFW Problem X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: drift@FreeBSD.ORG List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 01 Oct 2004 08:48:48 -0000 I don't have an internal network. This is a server with 1 gigabit network card on a gig link. Im really confussed on whats happing then, because web browsing still works but its blocking come packets.. I host 60sites+ so I cant pin it down to one site or nothing. Anyone have any other ideas? Steven Adams steve@drifthost.com DriftNet Web Services http://www.drifthost.com Home: +61 2 94274857 Fax: +61 2 94274857 Mobile +61 (0) 404 085644 -----Original Message----- From: Subhro [mailto:subhro.kar@gmail.com] Sent: Friday, 1 October 2004 12:36 AM To: drift@freebsd.org Cc: steve@drifthost.com; freebsd-questions@freebsd.org Subject: Re: IPFW Problem On Thu, 30 Sep 2004 22:32:16 +1000, Steven Adams wrote: > When I add > > $fwcmd add allow ip from any to any established > > The messages go away, but when I remove it they come back, I ran a tcpdump > it seems most of the packet just have ACK set? If this works for you then the keep-state is definitely not working for you. Because when a SYN comes in, the state is saved in the firewall dynamic states so that subsequent ACKs corresponding to that SYN gets through without any problem. >=========================================================== > oif=bge0 > fwcmd=ipfw > > $fwcmd -f flush > > $fwcmd add check-state > > $fwcmd add allow ip from any to any via lo0 > $fwcmd add deny ip from any to 127.0.0.0/8 > > $fwcmd add deny all from any to any frag in via $oif > > $fwcmd add allow tcp from any to me > 21,25,26,53,110,143,443,465,953,993,995,2082,2083,2086,2087,2089,2095,2096,2 > 627,6666,40000-49452 > in via $oif keep-state setup > $fwcmd add allow tcp from any to me 80 setup keep-state > $fwcmd add allow udp from me 53 to any keep-state > $fwcmd add allow udp from any to any 53 keep-state > > $fwcmd add allow all from me to any out via $oif setup keep-state > > $fwcmd add deny all from any to any 137,138,139,67,68 in > > $fwcmd add deny log all from me to any 22 > $fwcmd add deny log all from any to any change this to $fwcmd add deny log all from any to any in xmit $oif BTW, any good reason not to trust your internal network from sending data through the firewall? Regards S. -- Subhro Sankha Kar School of Information Technology Block AQ-13/1 Sector V ZIP 700091 India _______________________________________________ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org"