From owner-freebsd-questions  Wed Jun 19 17:36:49 2002
Delivered-To: freebsd-questions@freebsd.org
Received: from valis.olywa.net (valis.olywa.net [216.173.192.2])
	by hub.freebsd.org (Postfix) with ESMTP id BBAC637B403
	for <freebsd-questions@freebsd.org>; Wed, 19 Jun 2002 17:36:43 -0700 (PDT)
Received: from intrepid.snowpoint.com ([216.173.213.173])
          by valis.olywa.net (Post.Office MTA v3.5.3 release 223
          ID# 0-56662U5000L500S0V35) with ESMTP id net
          for <freebsd-questions@freebsd.org>;
          Wed, 19 Jun 2002 17:36:38 -0700
Received: from ([216.173.213.172])
        by intrepid.snowpoint.com (Merak 4.10.020) with SMTP id HUB36795
        for <freebsd-questions@freebsd.org>; Wed, 19 Jun 2002 17:32:00 -0700
From: "Corey Snow" <corey@snowpoint.com>
To: freebsd-questions@freebsd.org
Date: Wed, 19 Jun 2002 17:36:40 -0700
MIME-Version: 1.0
Content-type: text/plain; charset=US-ASCII
Content-transfer-encoding: 7BIT
Subject: ipfw dropping legit packets?
Message-ID: <3D10C128.8915.1C677A9@localhost>
X-mailer: Pegasus Mail for Win32 (v3.12c)
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-questions.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-questions>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-questions>
X-Loop: FreeBSD.ORG

I have a filtering bridge set up on my LAN betwixt my DSL and my DMZ. 
I've set it up with ipfw and built the kernel with the appropriate 
options.

Everything seems to be working well, although I recently turned on 
the "log" flag for my last rule- deny ip from any to any. It's 
strange, but it seems as though the firewall is denying some traffic 
(only a few packets here and there) that should be considered 
legitimate.

Here's my ipfw ruleset (addresses munged):

ratbastard# cat rc.ratbastardfw
#ratbastard firewall initialization script. This bridge
#firewall simply passes packets from the Internet to an internal DMZ,
#filtering them along the way. As such, we allow very little traffic 
in.

#1.2.3.1 - DNS and Web
#1.2.3.3 - Secondary DNS and Mail
#1.2.3.2 - Workstation

add check-state

#allow inbound DNS
add allow udp from any to 1.2.3.1 53 in via ed0 keep-state
add allow udp from any to 1.2.3.3 53 in via ed0 keep-state

#allow outbound DNS
add allow udp from 1.2.3.1 to any 53 in via ed1 keep-state
add allow udp from 1.2.3.3 to any 53 in via ed1 keep-state

#allow HTTP
add allow tcp from any to 1.2.3.1 80,443 in via ed0 setup keep-state

#allow SMTP and POP3
add allow tcp from any to 1.2.3.3 25,110 in via ed0 setup keep-state

#allow SMTP relay so we can send out through a machine with reverse 
DNS
add allow tcp from 1.2.3.3 to isprelay 25 in via ed1 setup keep-state

#allow internal traffic out.
add allow tcp from 1.2.3.2 to any in via ed1 setup keep-state
add allow udp from 1.2.3.2 to any in via ed1 keep-state

#Allow ssh to this machine on internal interface.
add allow tcp from securews to me 22 in via ed1 keep-state

#allow internal machines to ping
add allow icmp from any to me in via ed1 icmptypes 8 keep-state

#deny anything else and log it
add deny log ip from any to any
ratbastard#


---

When this set of rules is in effect, I will get stuff like this in my 
security log (addresses munged). The IP address that is being denied 
is a web site I tried to visit. I can see the web site and all seems 
to be well- but these keep popping up in my log, indicating that 
something is being denied that shouldn't be- shouldn't the "keep-
state" rules take care of this kind of thing?

ratbastard# tail security
Jun 19 17:29:39 ratbastard /kernel: ipfw: 1600 Deny TCP 
216.150.6.70:80 1.2.3.2:3197 in via ed0
Jun 19 17:29:39 ratbastard /kernel: ipfw: 1600 Deny TCP 
216.150.6.70:80 1.2.3.2:3199 in via ed0
Jun 19 17:29:40 ratbastard /kernel: ipfw: 1600 Deny TCP 
216.150.6.70:80 1.2.3.2:3200 in via ed0
Jun 19 17:29:40 ratbastard /kernel: ipfw: 1600 Deny TCP 
216.150.6.70:80 1.2.3.2:3202 in via ed0
Jun 19 17:29:43 ratbastard /kernel: ipfw: 1600 Deny TCP 1.2.3.2:3175 
216.150.6.70:80 in via ed1
Jun 19 17:30:51 ratbastard /kernel: ipfw: 1600 Deny TCP 1.2.3.2:3224 
216.150.16.239:80 in via ed1
Jun 19 17:30:52 ratbastard /kernel: ipfw: 1600 Deny TCP 
216.150.6.70:80 1.2.3.2:3240 in via ed0
Jun 19 17:30:52 ratbastard /kernel: ipfw: 1600 Deny TCP 
216.150.6.70:80 1.2.3.2:3230 in via ed0
Jun 19 17:30:54 ratbastard /kernel: ipfw: 1600 Deny TCP 1.2.3.2:3240 
216.150.6.70:80 in via ed1
Jun 19 17:30:54 ratbastard /kernel: ipfw: 1600 Deny TCP 
216.150.6.70:80 1.2.3.2:3244 in via ed0
Jun 19 17:30:54 ratbastard /kernel: ipfw: 1600 Deny TCP 
216.150.6.70:80 1.2.3.2:3226 in via ed0
ratbastard#

Other data:

FreeBSD 4.5-RELEASE, 486 DX2/66, 32 MB RAM, 2 ISA NICs. ed0: 
Internet, ed1: internal interface. System is in bridging mode, and 
only has one IP addess that I use to access it via ssh.

Thanks for any suggestions or comments.

Regard,

Corey Snow


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message