Date: Sat, 9 Nov 2002 18:19:23 +0100 From: Micael Ebbmar <micke@ebbmar.net> To: freebsd-questions@freebsd.org Subject: IPFW2 denies packet although they match ALLOW rule? Message-ID: <20021109171923.GA41802@h173n2fls21o55>
next in thread | raw e-mail | index | archive | help
Excuse me if I'm posting to the wrong list, I thought at first that freebsd-ipfw should be
the correct one, but obviously only discussion about the redesign of IPFW should be discussed there.
Anyways, I hope someone can help me here..
A week ago, I made the transition from IPFW to IPFW2 (on my 4.7-Stable box), and I thought it would
be a good idea to rewrite my previous stateless rules to stateful.
After a few days I noticed in /var/log security that IPFW once in a while blocks outbound
packets to my pop servers and a webserver, which I've allowed in a previously rule (0310).
I still can pop my mail and browse the web without any problems, but I'm stil curious why it denies the packets. Can it be
that the stateful rule has expired and the interface is resending/receiving some old packets? If so, is that normal or an
indication of a broken NIC?
Or is any of the sysctl variables net.inet.ip.fw.* too short? (Haven't touched them yet)
Log snippet of /var/log/security:
Nov 8 00:25:42 grendel /kernel: ipfw: 1000 Deny TCP 213.64.x.x:1938 207.174.189.161:80 out via ep1
Nov 8 00:26:12 grendel /kernel: ipfw: 1000 Deny TCP 213.64.x.x:1940 207.174.189.161:80 out via ep1
Nov 8 00:26:12 grendel /kernel: ipfw: 1000 Deny TCP 213.64.x.x:1938 207.174.189.161:80 out via ep1
Nov 8 00:26:14 grendel /kernel: ipfw: 1000 Deny TCP 213.64.x.x:1940 207.174.189.161:80 out via ep1
Nov 8 00:26:18 grendel /kernel: ipfw: 1000 Deny TCP 213.64.x.x:1940 207.174.189.161:80 out via ep1
Nov 8 00:26:26 grendel /kernel: ipfw: 1000 Deny TCP 213.64.x.x:1940 207.174.189.161:80 out via ep1
Nov 8 00:26:27 grendel /kernel: ipfw: 1000 Deny TCP 213.64.x.x:1939 207.174.189.161:80 out via ep1
Nov 8 00:26:29 grendel /kernel: ipfw: 1000 Deny TCP 213.64.x.x:1939 207.174.189.161:80 out via ep1
Nov 8 00:26:33 grendel /kernel: ipfw: 1000 Deny TCP 213.64.x.x:1939 207.174.189.161:80 out via ep1
Nov 8 00:26:41 grendel /kernel: ipfw: 1000 Deny TCP 213.64.x.x:1939 207.174.189.161:80 out via ep1
Nov 8 00:26:42 grendel /kernel: ipfw: 1000 Deny TCP 213.64.x.x:1940 207.174.189.161:80 out via ep1
Nov 8 00:26:45 grendel /kernel: ipfw: 1000 Deny TCP 213.64.x.x:1938 207.174.189.161:80 out via ep1
Nov 8 00:26:57 grendel /kernel: ipfw: 1000 Deny TCP 213.64.x.x:1939 207.174.189.161:80 out via ep1
Nov 8 00:27:15 grendel /kernel: ipfw: 1000 Deny TCP 213.64.x.x:1940 207.174.189.161:80 out via ep1
Nov 8 00:27:30 grendel /kernel: ipfw: 1000 Deny TCP 213.64.x.x:1939 207.174.189.161:80 out via ep1
Nov 8 00:27:49 grendel /kernel: ipfw: 1000 Deny TCP 213.64.x.x:1938 207.174.189.161:80 out via ep1
...
Nov 8 16:47:10 grendel /kernel: ipfw: 1000 Deny TCP 213.64.x.x:2529 66.54.152.7:110 out via ep1
Nov 8 16:47:31 grendel /kernel: ipfw: 1000 Deny TCP 213.64.x.x:2529 66.54.152.7:110 out via ep1
Nov 8 16:48:14 grendel /kernel: ipfw: 1000 Deny TCP 213.64.x.x:2529 66.54.152.7:110 out via ep1
Nov 8 16:49:18 grendel /kernel: ipfw: 1000 Deny TCP 213.64.x.x:2529 66.54.152.7:110 out via ep1
Nov 8 16:50:22 grendel /kernel: ipfw: 1000 Deny TCP 213.64.x.x:2529 66.54.152.7:110 out via ep1
Nov 8 16:51:26 grendel /kernel: ipfw: 1000 Deny TCP 213.64.x.x:2529 66.54.152.7:110 out via ep1
Nov 8 16:52:30 grendel /kernel: ipfw: 1000 Deny TCP 213.64.x.x:2529 66.54.152.7:110 out via ep1
Nov 8 16:53:34 grendel /kernel: ipfw: 1000 Deny TCP 213.64.x.x:2529 66.54.152.7:110 out via ep1
Nov 8 16:54:38 grendel /kernel: ipfw: 1000 Deny TCP 213.64.x.x:2529 66.54.152.7:110 out via ep1
Nov 8 16:55:42 grendel /kernel: ipfw: 1000 Deny TCP 213.64.x.x:2529 66.54.152.7:110 out via ep1
Nov 8 16:56:46 grendel /kernel: ipfw: 1000 Deny TCP 213.64.x.x:2529 66.54.152.7:110 out via ep1
Nov 8 16:57:50 grendel /kernel: ipfw: 1000 Deny TCP 213.64.x.x:2529 66.54.152.7:110 out via ep1
Nov 8 16:58:54 grendel /kernel: ipfw: 1000 Deny TCP 213.64.x.x:2529 66.54.152.7:110 out via ep1
And my rules look like this:
# Identd
add 0200 reset log tcp from any to any 113
# Only allow outbound TCP connections I have created
add 0300 check-state
# Deny packets with ACK flag set which doesn't match the above rule
add 0305 deny tcp from any to any in established
# Allow all outgoing setup TCP connections (SYN)
add 0310 allow tcp from any to any out setup keep-state
# Allow login on ISP
add 0350 allow tcp from me to 10.0.0.6 80 setup keep-state
# Allow DNS
add 0400 allow udp from me to 10.0.0/24{1,2} 53 keep-state out xmit ep1
# Allow DHCP offers and requests
add 0500 allow udp from me 68 to 213.64.75.1 keep-state out via ep1
# Allow ntpd to lth.se and ntp1.sp.se
add 0600 allow ip from me 123 to 130.235.20.3 keep-state out via ep1
# Allow some ICMP types (dest. unreachable, source quench,
# echo reply/request, time exceed)
add 0650 allow icmp from any to any icmptypes 3,4
add 0655 allow icmp from any to any icmptypes 8 out
add 0660 allow icmp from any to any icmptypes 0,11 in
# Allow access to my webserver from school
add 0700 allow tcp from 193.10.0.0/16 to me 80 setup keep-state in via ep1
# Allow ssh access from school
add 0750 allow tcp from 193.10.0.0/16 to me 22 setup keep-state in via ep1
# Deny and log the rest
add 1000 deny log logamount 1000 ip from any to any via ep1
As long as it's working fine, I really shouldn't bother, but I'm curious about it, and it's a real logfiller..
Cheers,
Micke
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20021109171923.GA41802>