From owner-freebsd-questions Sat Nov 9 14:10:17 2002 Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6AF2337B401 for ; Sat, 9 Nov 2002 14:10:15 -0800 (PST) Received: from mailsrv.otenet.gr (mailsrv.otenet.gr [195.170.0.5]) by mx1.FreeBSD.org (Postfix) with ESMTP id 615D743E4A for ; Sat, 9 Nov 2002 14:10:14 -0800 (PST) (envelope-from keramida@FreeBSD.org) Received: from ftp.otenet.gr (ftp.otenet.gr [195.170.0.21]) by mailsrv.otenet.gr (8.12.6/8.12.6) with ESMTP id gA9MA2Xq013786; Sun, 10 Nov 2002 00:10:02 +0200 (EET) Received: from LocalHost (patr530-a066.otenet.gr [212.205.215.66]) by ftp.otenet.gr (8.12.4/8.12.4) with SMTP id gA9M9NLI010768; Sun, 10 Nov 2002 00:09:50 +0200 (EET) Message-ID: <006b01c2883c$bf360900$42d7cdd4@LocalHost> From: "Giorgos Keramidas" To: "Micael Ebbmar" , References: <20021109171923.GA41802@h173n2fls21o55> Subject: Re: IPFW2 denies packet although they match ALLOW rule? Date: Sun, 10 Nov 2002 00:05:44 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4920.2300 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4920.2300 Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Please wrap your posts (everything except for computer output), below 70-80 columns. It's very hard to read otherwise :-/ Micael Ebbmar wrote: : Excuse me if I'm posting to the wrong list, I thought at first that : freebsd-ipfw should be the correct one, but obviously only : discussion about the redesign of IPFW should be discussed there. True. : A week ago, I made the transition from IPFW to IPFW2 (on my : 4.7-Stable box), and I thought it would be a good idea to rewrite my : previous stateless rules to stateful. After a few days I noticed in : /var/log security that IPFW once in a while blocks outbound packets : to my pop servers and a webserver, which I've allowed in a previously : rule (0310). I still can pop my mail and browse the web without any : problems, but I'm stil curious why it denies the packets. Can it be : that the stateful rule has expired and the interface is : resending/receiving some old packets? If so, is that normal or an : indication of a broken NIC? Or is any of the sysctl variables : net.inet.ip.fw.* too short? (Haven't touched them yet) Web clients some times cache connections to web servers, hoping to save some time from avoiding a reconnect for every GET request. Could it be that your clients thinks that a cached connection is still valid long after the dynamic ipfw rule has expired? : Log snippet of /var/log/security: :=20 : Nov 8 00:25:42 grendel /kernel: ipfw: 1000 Deny TCP 213.64.x.x:1938 = 207.174.189.161:80 out via ep1 : Nov 8 00:26:12 grendel /kernel: ipfw: 1000 Deny TCP 213.64.x.x:1940 = 207.174.189.161:80 out via ep1 : Nov 8 00:26:12 grendel /kernel: ipfw: 1000 Deny TCP 213.64.x.x:1938 = 207.174.189.161:80 out via ep1 : [...] : And my rules look like this: :=20 : add 0200 reset log tcp from any to any 113 : add 0300 check-state : add 0305 deny tcp from any to any in established : add 0310 allow tcp from any to any out setup keep-state : [...] : add 0350 allow tcp from me to 10.0.0.6 80 setup keep-state Doesn't rule 0310 make rule 0350 redundant? : add 1000 deny log logamount 1000 ip from any to any via ep1 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message