Date: Wed, 19 Jun 2002 17:36:40 -0700 From: "Corey Snow" <corey@snowpoint.com> To: freebsd-questions@freebsd.org Subject: ipfw dropping legit packets? Message-ID: <3D10C128.8915.1C677A9@localhost>
next in thread | raw e-mail | index | archive | help
I have a filtering bridge set up on my LAN betwixt my DSL and my DMZ. I've set it up with ipfw and built the kernel with the appropriate options. Everything seems to be working well, although I recently turned on the "log" flag for my last rule- deny ip from any to any. It's strange, but it seems as though the firewall is denying some traffic (only a few packets here and there) that should be considered legitimate. Here's my ipfw ruleset (addresses munged): ratbastard# cat rc.ratbastardfw #ratbastard firewall initialization script. This bridge #firewall simply passes packets from the Internet to an internal DMZ, #filtering them along the way. As such, we allow very little traffic in. #1.2.3.1 - DNS and Web #1.2.3.3 - Secondary DNS and Mail #1.2.3.2 - Workstation add check-state #allow inbound DNS add allow udp from any to 1.2.3.1 53 in via ed0 keep-state add allow udp from any to 1.2.3.3 53 in via ed0 keep-state #allow outbound DNS add allow udp from 1.2.3.1 to any 53 in via ed1 keep-state add allow udp from 1.2.3.3 to any 53 in via ed1 keep-state #allow HTTP add allow tcp from any to 1.2.3.1 80,443 in via ed0 setup keep-state #allow SMTP and POP3 add allow tcp from any to 1.2.3.3 25,110 in via ed0 setup keep-state #allow SMTP relay so we can send out through a machine with reverse DNS add allow tcp from 1.2.3.3 to isprelay 25 in via ed1 setup keep-state #allow internal traffic out. add allow tcp from 1.2.3.2 to any in via ed1 setup keep-state add allow udp from 1.2.3.2 to any in via ed1 keep-state #Allow ssh to this machine on internal interface. add allow tcp from securews to me 22 in via ed1 keep-state #allow internal machines to ping add allow icmp from any to me in via ed1 icmptypes 8 keep-state #deny anything else and log it add deny log ip from any to any ratbastard# --- When this set of rules is in effect, I will get stuff like this in my security log (addresses munged). The IP address that is being denied is a web site I tried to visit. I can see the web site and all seems to be well- but these keep popping up in my log, indicating that something is being denied that shouldn't be- shouldn't the "keep- state" rules take care of this kind of thing? ratbastard# tail security Jun 19 17:29:39 ratbastard /kernel: ipfw: 1600 Deny TCP 216.150.6.70:80 1.2.3.2:3197 in via ed0 Jun 19 17:29:39 ratbastard /kernel: ipfw: 1600 Deny TCP 216.150.6.70:80 1.2.3.2:3199 in via ed0 Jun 19 17:29:40 ratbastard /kernel: ipfw: 1600 Deny TCP 216.150.6.70:80 1.2.3.2:3200 in via ed0 Jun 19 17:29:40 ratbastard /kernel: ipfw: 1600 Deny TCP 216.150.6.70:80 1.2.3.2:3202 in via ed0 Jun 19 17:29:43 ratbastard /kernel: ipfw: 1600 Deny TCP 1.2.3.2:3175 216.150.6.70:80 in via ed1 Jun 19 17:30:51 ratbastard /kernel: ipfw: 1600 Deny TCP 1.2.3.2:3224 216.150.16.239:80 in via ed1 Jun 19 17:30:52 ratbastard /kernel: ipfw: 1600 Deny TCP 216.150.6.70:80 1.2.3.2:3240 in via ed0 Jun 19 17:30:52 ratbastard /kernel: ipfw: 1600 Deny TCP 216.150.6.70:80 1.2.3.2:3230 in via ed0 Jun 19 17:30:54 ratbastard /kernel: ipfw: 1600 Deny TCP 1.2.3.2:3240 216.150.6.70:80 in via ed1 Jun 19 17:30:54 ratbastard /kernel: ipfw: 1600 Deny TCP 216.150.6.70:80 1.2.3.2:3244 in via ed0 Jun 19 17:30:54 ratbastard /kernel: ipfw: 1600 Deny TCP 216.150.6.70:80 1.2.3.2:3226 in via ed0 ratbastard# Other data: FreeBSD 4.5-RELEASE, 486 DX2/66, 32 MB RAM, 2 ISA NICs. ed0: Internet, ed1: internal interface. System is in bridging mode, and only has one IP addess that I use to access it via ssh. Thanks for any suggestions or comments. Regard, Corey Snow To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3D10C128.8915.1C677A9>