From owner-freebsd-questions Sat Nov 9 15: 9: 9 2002 Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3304037B401; Sat, 9 Nov 2002 15:09:07 -0800 (PST) Received: from h173n2fls21o55.telia.com (h173n2fls21o55.telia.com [213.64.76.173]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5369443E42; Sat, 9 Nov 2002 15:09:06 -0800 (PST) (envelope-from micke@h173n2fls21o55.telia.com) Received: from h173n2fls21o55.telia.com (localhost [127.0.0.1]) by h173n2fls21o55.telia.com (8.12.6/8.12.6) with ESMTP id gA9N8EOT002885; Sun, 10 Nov 2002 00:08:14 +0100 (CET) (envelope-from micke@h173n2fls21o55.telia.com) Received: (from micke@localhost) by h173n2fls21o55.telia.com (8.12.6/8.12.6/Submit) id gA9N8848002884; Sun, 10 Nov 2002 00:08:08 +0100 (CET) Date: Sun, 10 Nov 2002 00:08:08 +0100 From: Micael Ebbmar To: Giorgos Keramidas Cc: freebsd-questions@FreeBSD.ORG Subject: Re: IPFW2 denies packet although they match ALLOW rule? Message-ID: <20021109230808.GA2478@h173n2fls21o55.telia.com> References: <20021109171923.GA41802@h173n2fls21o55> <006b01c2883c$bf360900$42d7cdd4@LocalHost> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <006b01c2883c$bf360900$42d7cdd4@LocalHost> User-Agent: Mutt/1.4i X-Mailer: Mutt http://www.mutt.org/ X-Uptime: 11:58pm up 5:31, 8 users, load averages: 0,15 0,05 0,01 X-OS: FreeBSD 4.7-STABLE X-URL: http://www.ebbmar.net/ X-Location: Europe, Sweden, Trollhattan Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG * Giorgos Keramidas [021109 23:11]: > > Web clients some times cache connections to web servers, hoping to save > some time from avoiding a reconnect for every GET request. Could it be > that your clients thinks that a cached connection is still valid long > after the dynamic ipfw rule has expired? Well, that's a possibility.. esp. with all those banners that refreshes every now and then. But that doesn't explain why the computer tries to contact the pop servers (through Fetchmail) even after the normal connection has been terminated. Since Fetchmail has finished the conversation with the popservers, the rule terminates. Then after some time, it tries to connect again (note: not initialize, since obviously the SYN isn't set and there it's blocked by rule 1000). I just find it very odd. > > : Log snippet of /var/log/security: > : > : Nov 8 00:25:42 grendel /kernel: ipfw: 1000 Deny TCP 213.64.x.x:1938 207.174.189.161:80 out via ep1 > : Nov 8 00:26:12 grendel /kernel: ipfw: 1000 Deny TCP 213.64.x.x:1940 207.174.189.161:80 out via ep1 > : Nov 8 00:26:12 grendel /kernel: ipfw: 1000 Deny TCP 213.64.x.x:1938 207.174.189.161:80 out via ep1 > : [...] > : And my rules look like this: > : > : add 0200 reset log tcp from any to any 113 > : add 0300 check-state > : add 0305 deny tcp from any to any in established > : add 0310 allow tcp from any to any out setup keep-state > : [...] > : add 0350 allow tcp from me to 10.0.0.6 80 setup keep-state > > Doesn't rule 0310 make rule 0350 redundant? Ah, sure it is redundant! Thanx for pointing it out :) > > : add 1000 deny log logamount 1000 ip from any to any via ep1 Cheers, Micke To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message