From owner-freebsd-questions Sun Jan 19 17:38:16 2003 Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2FBB037B401 for ; Sun, 19 Jan 2003 17:38:14 -0800 (PST) Received: from aphasiaweb.ad.johncglass.com (mail.aphasianet.com [66.180.229.45]) by mx1.FreeBSD.org (Postfix) with ESMTP id A49C943ED8 for ; Sun, 19 Jan 2003 17:38:13 -0800 (PST) (envelope-from john@johncglass.com) MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Subject: IPFW stateful ruleset problems on 4.7 STABLE Date: Sun, 19 Jan 2003 17:27:58 -0800 X-MimeOLE: Produced By Microsoft Exchange V6.0.6249.0 Message-ID: <761D45700A1C344585688C2E85D0895B043233@controller> content-class: urn:content-classes:message X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: IPFW stateful ruleset problems on 4.7 STABLE Thread-Index: AcLAIyn/wNG4oun9RqChwC9I1TUvFQ== From: "john" To: Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Greetings, I seem to be having a few problems with my new ipfw stateful firewall = bridge ruleset. If I understand this correctly, a client should make a = request to port 80, gets issued a SYN flag, and the session is allowed = further communication via the first rule 22100 'check-state.' When I = view the site from an outside location, everything seems to be running = fine, but when I check the log file, it appears that the 'deny all' rule = is being hit quite a bit more often than I expected. Syslog shows me=20 Jan 19 17:09:25 postfix /kernel: ipfw: 22500 Deny TCP = 207.124.361.215:2345 10.10.10.10:80 in via sis0 Jan 19 17:09:26 postfix /kernel: ipfw: 22500 Deny TCP = 154.951.221.81:4376 10.10.10.10:80 in via sis0 Jan 19 17:09:32 postfix /kernel: ipfw: 22500 Deny TCP = 158.113.207.162:55639 10.10.10.10:80 in via sis0 Jan 19 17:09:32 postfix /kernel: ipfw: 22500 Deny TCP = 127.113.227.62:55639 10.10.10.10:80 in via sis0 Jan 19 17:09:33 postfix /kernel: ipfw: 22550 Deny TCP 10.10.10.10:1801 = 142.261.148.67:80 in via fxp2 I'm getting these messages literally every couple seconds. I would = expect this behaviour when the filter is first activated (dropping old = connections that do not have the flag set) but not after several hours. = I'm seeing similar happenings to my mail servers, so I believe it is a = problem with my ruleset, and not something machine specific. I have = included the relative document pieces below. Can anyone spot my silly = mistake and care to inform me of the problem? Thanks, ~John ... Some generic rules .. add 6700 skipto 22100 all from 10.10.10.10 to any add 6750 skipto 22100 all from any to 10.10.10.10 ... #ruleset for machine add 22100 check-state #allow in terminal services=20 add 22200 allow tcp from any to 10.10.10.10 3389 in setup keep-state #allow out terminal services add 22250 allow tcp from 10.10.10.10 to any 3389 out setup keep-state #allow AIM add 22275 allow tcp from 10.10.10.10 to any 5190 setup keep-state=20 add 22276 allow tcp from any 5190 to 10.10.10.10 setup keep-state=20 #Allow in Web=20 add 22300 allow tcp from any to 10.10.10.10 80 setup keep-state #Allow out web add 22350 allow tcp from 10.10.10.10 to any 80 setup keep-state=20 add 22400 allow udp from 10.10.10.10 to any 53 keep-state=20 #Now block everything else add 22500 deny log logamount 200 ip from any to 10.10.10.10=20 add 22550 deny log logamount 200 ip from 10.10.10.10 to any=20 add 23000 skipto 60000 all from any to any=20 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message