Skip site navigation (1)Skip section navigation (2)
Date:      Sat, 17 Jan 2004 18:10:09 -0500
From:      "fbsd_user" <fbsd_user@a1poweruser.com>
To:        "freebsd-questions@FreeBSD. ORG" <freebsd-questions@FreeBSD.ORG>
Cc:        freebsd-ipfw@freebsd.org
Subject:   5.2 + ipfw2 + keep-state rules Bug
Message-ID:  <MIEPLLIBMLEEABPDBIEGAENKFEAA.fbsd_user@a1poweruser.com>

next in thread | raw e-mail | index | archive | help
Using an fresh install of FBSD 5.2 RC2 I am trying to
get stateful rules to function.
For some reason ipfw2 seems to be issuing an ICMP:3.3
packet to my ISP's dns.

Here is my rules file

# Flush out the list before we begin.
/sbin/ipfw -q -f flush

# Set rules command prefix
cmd="ipfw -q add"

# Internal gateway housekeeping
$cmd 00100 allow all from any to any via lo0  # allow all localhost
$cmd 00105 allow all from any to any via xl0  # allow all local Lan
$cmd 00110 check-state log logamount 500
$cmd 00150 divert natd all from any to any
$cmd 00170 count log logamount 500 all from any to any
$cmd 00310 allow log logamount 500 tcp from any to any 53 out via
rl0 setup keep-state
$cmd 00311 allow log logamount 500 udp from any to any 53 out via
rl0 keep-state
$cmd 00315 allow log logamount 500 tcp from any to any 80 out via
rl0 setup keep-state
$cmd 00350 allow log logamount 500 icmp from any to any out via rl0
keep-state
$cmd 00500 deny  log logamount 500 all from any to any

Here is the ipfw2 log
Ipfw: 110 UNKNOWN UDP 10.0.10.5:1181 208.206.15.11:53 out via rl0
Ipfw: 170 Count UDP 67.20.101.103:1181 208.206.15.11:53 out via rl0
Ipfw: 311 Accept UDP 67.20.101.103:1181 208.206.15.11:53 out via rl0
Ipfw: 110 UNKNOWN UDP 208.206.15.11:53 67.20.101.103:1181 in via rl0
Ipfw: 311 Accept UDP 208.206.15.11:53 67.20.101.103:1181 in via rl0

Ipfw: 110 UNKNOWN ICMP:3.3 67.20.101.103 208.206.15.11 out via rl0
Ipfw: 170 Count ICMP:3.3 67.20.101.103 208.206.15.11 out via rl0
Ipfw: 350 Accept ICMP:3.3 67.20.101.103 208.206.15.11 out via rl0

Ipfw: 110 UNKNOWN UDP 10.0.10.5:1181 208.206.15.11:53 out via rl0
Ipfw: 170 Count UDP 67.20.101.103:1181 208.206.15.11:53 out via rl0
Ipfw: 311 Accept UDP 67.20.101.103:1181 208.206.15.11:53 out via rl0
Ipfw: 110 UNKNOWN UDP 208.206.15.11:53 67.20.101.103:1181 in via rl0
Ipfw: 311 Accept UDP 208.206.15.11:53 67.20.101.103:1181 in via rl0

Ipfw: 110 UNKNOWN ICMP:3.3 67.20.101.103 208.206.15.11 out via rl0
Ipfw: 350 Accept ICMP:3.3 67.20.101.103 208.206.15.11 out via rl0

Ipfw: 110 UNKNOWN UDP 10.0.10.5:1181 208.206.15.12:53 out via rl0
Ipfw: 170 Count UDP 67.20.101.103:1181 208.206.15.12:53 out via rl0
Ipfw: 311 Accept UDP 67.20.101.103:1181 208.206.15.12:53 out via rl0
Ipfw: 110 UNKNOWN UDP 208.206.15.12:53 67.20.101.103:1181 in via rl0
Ipfw: 311 Accept UDP 208.206.15.12:53 67.20.101.103:1181 in via rl0

Ipfw: 110 UNKNOWN ICMP:3.3 67.20.101.103 208.206.15.12 out via rl0
Ipfw: 170 Count ICMP:3.3 67.20.101.103 208.206.15.12 out via rl0
Ipfw: 350 Accept ICMP:3.3 67.20.101.103 208.206.15.12 out via rl0


When I change the rules to use pass all just to test if there is
something
wrong with my ISP's dns server, everything works.
So there is no reason for the icmp 3.3 packet.


# Flush out the list before we begin.
/sbin/ipfw -q -f flush

# Set rules command prefix
cmd="ipfw -q add"

# Internal gateway housekeeping
$cmd 00100 allow all from any to any via lo0  # allow all localhost
$cmd 00105 allow all from any to any via xl0  # allow all local Lan

$cmd 00150 divert natd all from any to any

$cmd 00160 allow log logamount 500 all from any to any

Log from about rules file
Ipfw: 160 Accept UDP 67.20.101.103:1175 208.206.15.11:53 out via rl0
Ipfw: 160 Accept UDP 208.206.15.11:53 10.0.10.5:1175 in via rl0
Ipfw: 160 Accept TCP 67.20.101.103:1176 216.136.204.117:80 out via
rl0
Ipfw: 160 Accept TCP 216.136.204.117:80 10.0.10.5:1176 in via rl0
Ipfw: 160 Accept TCP 67.20.101.103:1176 216.136.204.117:80 out via
rl0
Ipfw: 160 Accept TCP 67.20.101.103:1176 216.136.204.117:80 out via
rl0
Ipfw: 160 Accept TCP 216.136.204.117:80 10.0.10.5:1176 in via rl0
Ipfw: 160 Accept TCP 67.20.101.103:1176 216.136.204.117:80 out via
rl0
Ipfw: 160 Accept TCP 216.136.204.117:80 10.0.10.5:1176 in via rl0

This looks like 5.2 ipfw2 bug to me.

Any body explain why ipfw2 is doing this?










Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?MIEPLLIBMLEEABPDBIEGAENKFEAA.fbsd_user>