Skip site navigation (1)Skip section navigation (2) 
Date:      Sun, 10 Nov 2002 00:08:08 +0100
From:      Micael Ebbmar <micke@ebbmar.net>
To:        Giorgos Keramidas <keramida@FreeBSD.ORG>
Cc:        freebsd-questions@FreeBSD.ORG
Subject:   Re: IPFW2 denies packet although they match ALLOW rule?
Message-ID:  <20021109230808.GA2478@h173n2fls21o55.telia.com>
In-Reply-To: <006b01c2883c$bf360900$42d7cdd4@LocalHost>
References:  <20021109171923.GA41802@h173n2fls21o55> <006b01c2883c$bf360900$42d7cdd4@LocalHost>
next in thread | previous in thread | raw e-mail | index | archive | help 
* Giorgos Keramidas <keramida@FreeBSD.ORG> [021109 23:11]:
> 
> Web clients some times cache connections to web servers, hoping to save
> some time from avoiding a reconnect for every GET request.  Could it be
> that your clients thinks that a cached connection is still valid long
> after the dynamic ipfw rule has expired?

Well, that's a possibility.. esp. with all those banners that refreshes every now
and then.

But that doesn't explain why the computer tries to contact the pop servers (through
Fetchmail) even after the normal connection has been terminated. Since Fetchmail has
finished the conversation with the popservers, the rule terminates. Then after
some time, it tries to connect again (note: not initialize, since obviously the SYN 
isn't set and there it's blocked by rule 1000). 
I just find it very odd.

> 
> : Log snippet of /var/log/security:
> : 
> : Nov  8 00:25:42 grendel /kernel: ipfw: 1000 Deny TCP 213.64.x.x:1938 207.174.189.161:80 out via ep1
> : Nov  8 00:26:12 grendel /kernel: ipfw: 1000 Deny TCP 213.64.x.x:1940 207.174.189.161:80 out via ep1
> : Nov  8 00:26:12 grendel /kernel: ipfw: 1000 Deny TCP 213.64.x.x:1938 207.174.189.161:80 out via ep1
> : [...]
> : And my rules look like this:
> : 
> : add 0200 reset log tcp from any to any 113
> : add 0300 check-state
> : add 0305 deny tcp from any to any in established
> : add 0310 allow tcp from any to any out setup keep-state
> : [...]
> : add 0350 allow tcp from me to 10.0.0.6 80 setup keep-state
> 
> Doesn't rule 0310 make rule 0350 redundant?

Ah, sure it is redundant! Thanx for pointing it out :)

> 
> : add 1000 deny log logamount 1000 ip from any to any via ep1

Cheers,
Micke

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20021109230808.GA2478>