From owner-freebsd-questions@FreeBSD.ORG Thu Apr 20 23:57:03 2006 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 452FF16A401 for ; Thu, 20 Apr 2006 23:57:03 +0000 (UTC) (envelope-from list-freebsd-2004@morbius.sent.com) Received: from out1.smtp.messagingengine.com (out1.smtp.messagingengine.com [66.111.4.25]) by mx1.FreeBSD.org (Postfix) with ESMTP id B949143D46 for ; Thu, 20 Apr 2006 23:57:02 +0000 (GMT) (envelope-from list-freebsd-2004@morbius.sent.com) Received: from frontend2.internal (frontend2.internal [10.202.2.151]) by frontend1.messagingengine.com (Postfix) with ESMTP id 14F73D4B0DD for ; Thu, 20 Apr 2006 19:57:01 -0400 (EDT) Received: from frontend3.messagingengine.com ([10.202.2.152]) by frontend2.internal (MEProxy); Thu, 20 Apr 2006 19:56:25 -0400 X-Sasl-enc: AtlnWTLelqUWtd7VrLZwiYgKRCKYAlFaeoXcz5WRjIPF 1145577385 Received: from bb-87-81-140-128.ukonline.co.uk (bb-87-81-140-128.ukonline.co.uk [87.81.140.128]) by frontend3.messagingengine.com (Postfix) with ESMTP id 1F0EEA3E5 for ; Thu, 20 Apr 2006 19:56:24 -0400 (EDT) From: RW To: freebsd-questions@freebsd.org Date: Fri, 21 Apr 2006 00:56:56 +0100 User-Agent: KMail/1.9.1 References: <8921D35B-1F12-4212-9B62-0CC1CC8F5AE5@allresearch.com> <4446D5A4.8030502@mykitchentable.net> In-Reply-To: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200604210056.57359.list-freebsd-2004@morbius.sent.com> Subject: Re: IPFW Problems X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 20 Apr 2006 23:57:03 -0000 On Thursday 20 April 2006 05:14, Andrew Pantyukhin wrote: > On 4/20/06, Drew Tomlinson wrote: > > On 4/17/2006 2:29 PM Noah Silverman wrote: > > > ipfw add 00280 allow tcp from any to any 22 out via bge0 setup > > > keep-state ipfw add 00299 deny log all from any to any out via bge0 > > > ipfw add 0430 allow log tcp from any to me 22 in via bge0 setup limit > > > src-addr 2 > > > > I think this line is your problem. "setup" matches the initial packet > > with the syn flag set. However since you have not added "keep-state", > > no rule gets added to the dynamic rule set for this connection. "limit" creates a dynamic rule, just like keep-state > Yes. 'setup' is from "semi-stateful" firewall functionality while > 'keep-state' is from fully stateful one. You can't use both in > one rule without strange consequences. Just delete 'setup' > words in both rules - it'll probably be fine. Yes you can. When I used IPFW I did it that way and never had any problems. All it's saying is that a dynamic rule can only be setup by the legitimate first packet of a tcp handshake, and not by an out-of-sequence tcp packet. Once the dynamic rule exists, it passes packets with any tcp flags.