From owner-freebsd-questions Sat Nov 9 9:28:50 2002 Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4598837B401 for ; Sat, 9 Nov 2002 09:28:47 -0800 (PST) Received: from h173n2fls21o55.telia.com (h173n2fls21o55.telia.com [213.64.76.173]) by mx1.FreeBSD.org (Postfix) with ESMTP id A2E3B43E42 for ; Sat, 9 Nov 2002 09:28:44 -0800 (PST) (envelope-from micke@h173n2fls21o55.telia.com) Received: from h173n2fls21o55 (localhost [127.0.0.1]) by grendel.telia.com (8.12.6/8.12.6) with ESMTP id gA9HJOp3041829 for ; Sat, 9 Nov 2002 18:19:24 +0100 (CET) (envelope-from micke@h173n2fls21o55.telia.com) Received: (from micke@localhost) by h173n2fls21o55 (8.12.6/8.12.6/Submit) id gA9HJOfF041828 for freebsd-questions@freebsd.org; Sat, 9 Nov 2002 18:19:24 +0100 (CET) Date: Sat, 9 Nov 2002 18:19:23 +0100 From: Micael Ebbmar To: freebsd-questions@freebsd.org Subject: IPFW2 denies packet although they match ALLOW rule? Message-ID: <20021109171923.GA41802@h173n2fls21o55> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.4i X-Mailer: Mutt http://www.mutt.org/ X-Uptime: 6:17pm up 2 days, 20:28, 8 users, load averages: 0,10 0,06 0,01 X-OS: FreeBSD 4.7-STABLE X-URL: http://www.ebbmar.net/ X-Location: Europe, Sweden, Trollhattan Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Excuse me if I'm posting to the wrong list, I thought at first that freebsd-ipfw should be the correct one, but obviously only discussion about the redesign of IPFW should be discussed there. Anyways, I hope someone can help me here.. A week ago, I made the transition from IPFW to IPFW2 (on my 4.7-Stable box), and I thought it would be a good idea to rewrite my previous stateless rules to stateful. After a few days I noticed in /var/log security that IPFW once in a while blocks outbound packets to my pop servers and a webserver, which I've allowed in a previously rule (0310). I still can pop my mail and browse the web without any problems, but I'm stil curious why it denies the packets. Can it be that the stateful rule has expired and the interface is resending/receiving some old packets? If so, is that normal or an indication of a broken NIC? Or is any of the sysctl variables net.inet.ip.fw.* too short? (Haven't touched them yet) Log snippet of /var/log/security: Nov 8 00:25:42 grendel /kernel: ipfw: 1000 Deny TCP 213.64.x.x:1938 207.174.189.161:80 out via ep1 Nov 8 00:26:12 grendel /kernel: ipfw: 1000 Deny TCP 213.64.x.x:1940 207.174.189.161:80 out via ep1 Nov 8 00:26:12 grendel /kernel: ipfw: 1000 Deny TCP 213.64.x.x:1938 207.174.189.161:80 out via ep1 Nov 8 00:26:14 grendel /kernel: ipfw: 1000 Deny TCP 213.64.x.x:1940 207.174.189.161:80 out via ep1 Nov 8 00:26:18 grendel /kernel: ipfw: 1000 Deny TCP 213.64.x.x:1940 207.174.189.161:80 out via ep1 Nov 8 00:26:26 grendel /kernel: ipfw: 1000 Deny TCP 213.64.x.x:1940 207.174.189.161:80 out via ep1 Nov 8 00:26:27 grendel /kernel: ipfw: 1000 Deny TCP 213.64.x.x:1939 207.174.189.161:80 out via ep1 Nov 8 00:26:29 grendel /kernel: ipfw: 1000 Deny TCP 213.64.x.x:1939 207.174.189.161:80 out via ep1 Nov 8 00:26:33 grendel /kernel: ipfw: 1000 Deny TCP 213.64.x.x:1939 207.174.189.161:80 out via ep1 Nov 8 00:26:41 grendel /kernel: ipfw: 1000 Deny TCP 213.64.x.x:1939 207.174.189.161:80 out via ep1 Nov 8 00:26:42 grendel /kernel: ipfw: 1000 Deny TCP 213.64.x.x:1940 207.174.189.161:80 out via ep1 Nov 8 00:26:45 grendel /kernel: ipfw: 1000 Deny TCP 213.64.x.x:1938 207.174.189.161:80 out via ep1 Nov 8 00:26:57 grendel /kernel: ipfw: 1000 Deny TCP 213.64.x.x:1939 207.174.189.161:80 out via ep1 Nov 8 00:27:15 grendel /kernel: ipfw: 1000 Deny TCP 213.64.x.x:1940 207.174.189.161:80 out via ep1 Nov 8 00:27:30 grendel /kernel: ipfw: 1000 Deny TCP 213.64.x.x:1939 207.174.189.161:80 out via ep1 Nov 8 00:27:49 grendel /kernel: ipfw: 1000 Deny TCP 213.64.x.x:1938 207.174.189.161:80 out via ep1 ... Nov 8 16:47:10 grendel /kernel: ipfw: 1000 Deny TCP 213.64.x.x:2529 66.54.152.7:110 out via ep1 Nov 8 16:47:31 grendel /kernel: ipfw: 1000 Deny TCP 213.64.x.x:2529 66.54.152.7:110 out via ep1 Nov 8 16:48:14 grendel /kernel: ipfw: 1000 Deny TCP 213.64.x.x:2529 66.54.152.7:110 out via ep1 Nov 8 16:49:18 grendel /kernel: ipfw: 1000 Deny TCP 213.64.x.x:2529 66.54.152.7:110 out via ep1 Nov 8 16:50:22 grendel /kernel: ipfw: 1000 Deny TCP 213.64.x.x:2529 66.54.152.7:110 out via ep1 Nov 8 16:51:26 grendel /kernel: ipfw: 1000 Deny TCP 213.64.x.x:2529 66.54.152.7:110 out via ep1 Nov 8 16:52:30 grendel /kernel: ipfw: 1000 Deny TCP 213.64.x.x:2529 66.54.152.7:110 out via ep1 Nov 8 16:53:34 grendel /kernel: ipfw: 1000 Deny TCP 213.64.x.x:2529 66.54.152.7:110 out via ep1 Nov 8 16:54:38 grendel /kernel: ipfw: 1000 Deny TCP 213.64.x.x:2529 66.54.152.7:110 out via ep1 Nov 8 16:55:42 grendel /kernel: ipfw: 1000 Deny TCP 213.64.x.x:2529 66.54.152.7:110 out via ep1 Nov 8 16:56:46 grendel /kernel: ipfw: 1000 Deny TCP 213.64.x.x:2529 66.54.152.7:110 out via ep1 Nov 8 16:57:50 grendel /kernel: ipfw: 1000 Deny TCP 213.64.x.x:2529 66.54.152.7:110 out via ep1 Nov 8 16:58:54 grendel /kernel: ipfw: 1000 Deny TCP 213.64.x.x:2529 66.54.152.7:110 out via ep1 And my rules look like this: # Identd add 0200 reset log tcp from any to any 113 # Only allow outbound TCP connections I have created add 0300 check-state # Deny packets with ACK flag set which doesn't match the above rule add 0305 deny tcp from any to any in established # Allow all outgoing setup TCP connections (SYN) add 0310 allow tcp from any to any out setup keep-state # Allow login on ISP add 0350 allow tcp from me to 10.0.0.6 80 setup keep-state # Allow DNS add 0400 allow udp from me to 10.0.0/24{1,2} 53 keep-state out xmit ep1 # Allow DHCP offers and requests add 0500 allow udp from me 68 to 213.64.75.1 keep-state out via ep1 # Allow ntpd to lth.se and ntp1.sp.se add 0600 allow ip from me 123 to 130.235.20.3 keep-state out via ep1 # Allow some ICMP types (dest. unreachable, source quench, # echo reply/request, time exceed) add 0650 allow icmp from any to any icmptypes 3,4 add 0655 allow icmp from any to any icmptypes 8 out add 0660 allow icmp from any to any icmptypes 0,11 in # Allow access to my webserver from school add 0700 allow tcp from 193.10.0.0/16 to me 80 setup keep-state in via ep1 # Allow ssh access from school add 0750 allow tcp from 193.10.0.0/16 to me 22 setup keep-state in via ep1 # Deny and log the rest add 1000 deny log logamount 1000 ip from any to any via ep1 As long as it's working fine, I really shouldn't bother, but I'm curious about it, and it's a real logfiller.. Cheers, Micke To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message