Date: Sun, 19 Jan 2003 17:27:58 -0800 From: "john" <john@johncglass.com> To: <freebsd-questions@freebsd.org> Subject: IPFW stateful ruleset problems on 4.7 STABLE Message-ID: <761D45700A1C344585688C2E85D0895B043233@controller>
next in thread | raw e-mail | index | archive | help
Greetings, I seem to be having a few problems with my new ipfw stateful firewall = bridge ruleset. If I understand this correctly, a client should make a = request to port 80, gets issued a SYN flag, and the session is allowed = further communication via the first rule 22100 'check-state.' When I = view the site from an outside location, everything seems to be running = fine, but when I check the log file, it appears that the 'deny all' rule = is being hit quite a bit more often than I expected. Syslog shows me=20 Jan 19 17:09:25 postfix /kernel: ipfw: 22500 Deny TCP = 207.124.361.215:2345 10.10.10.10:80 in via sis0 Jan 19 17:09:26 postfix /kernel: ipfw: 22500 Deny TCP = 154.951.221.81:4376 10.10.10.10:80 in via sis0 Jan 19 17:09:32 postfix /kernel: ipfw: 22500 Deny TCP = 158.113.207.162:55639 10.10.10.10:80 in via sis0 Jan 19 17:09:32 postfix /kernel: ipfw: 22500 Deny TCP = 127.113.227.62:55639 10.10.10.10:80 in via sis0 Jan 19 17:09:33 postfix /kernel: ipfw: 22550 Deny TCP 10.10.10.10:1801 = 142.261.148.67:80 in via fxp2 I'm getting these messages literally every couple seconds. I would = expect this behaviour when the filter is first activated (dropping old = connections that do not have the flag set) but not after several hours. = I'm seeing similar happenings to my mail servers, so I believe it is a = problem with my ruleset, and not something machine specific. I have = included the relative document pieces below. Can anyone spot my silly = mistake and care to inform me of the problem? Thanks, ~John ... Some generic rules .. add 6700 skipto 22100 all from 10.10.10.10 to any add 6750 skipto 22100 all from any to 10.10.10.10 ... #ruleset for machine add 22100 check-state #allow in terminal services=20 add 22200 allow tcp from any to 10.10.10.10 3389 in setup keep-state #allow out terminal services add 22250 allow tcp from 10.10.10.10 to any 3389 out setup keep-state #allow AIM add 22275 allow tcp from 10.10.10.10 to any 5190 setup keep-state=20 add 22276 allow tcp from any 5190 to 10.10.10.10 setup keep-state=20 #Allow in Web=20 add 22300 allow tcp from any to 10.10.10.10 80 setup keep-state #Allow out web add 22350 allow tcp from 10.10.10.10 to any 80 setup keep-state=20 add 22400 allow udp from 10.10.10.10 to any 53 keep-state=20 #Now block everything else add 22500 deny log logamount 200 ip from any to 10.10.10.10=20 add 22550 deny log logamount 200 ip from 10.10.10.10 to any=20 add 23000 skipto 60000 all from any to any=20 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?761D45700A1C344585688C2E85D0895B043233>