Date: Sat, 17 Jan 2004 18:10:09 -0500 From: "fbsd_user" <fbsd_user@a1poweruser.com> To: "freebsd-questions@FreeBSD. ORG" <freebsd-questions@FreeBSD.ORG> Cc: freebsd-ipfw@freebsd.org Subject: 5.2 + ipfw2 + keep-state rules Bug Message-ID: <MIEPLLIBMLEEABPDBIEGAENKFEAA.fbsd_user@a1poweruser.com>
next in thread | raw e-mail | index | archive | help
Using an fresh install of FBSD 5.2 RC2 I am trying to get stateful rules to function. For some reason ipfw2 seems to be issuing an ICMP:3.3 packet to my ISP's dns. Here is my rules file # Flush out the list before we begin. /sbin/ipfw -q -f flush # Set rules command prefix cmd="ipfw -q add" # Internal gateway housekeeping $cmd 00100 allow all from any to any via lo0 # allow all localhost $cmd 00105 allow all from any to any via xl0 # allow all local Lan $cmd 00110 check-state log logamount 500 $cmd 00150 divert natd all from any to any $cmd 00170 count log logamount 500 all from any to any $cmd 00310 allow log logamount 500 tcp from any to any 53 out via rl0 setup keep-state $cmd 00311 allow log logamount 500 udp from any to any 53 out via rl0 keep-state $cmd 00315 allow log logamount 500 tcp from any to any 80 out via rl0 setup keep-state $cmd 00350 allow log logamount 500 icmp from any to any out via rl0 keep-state $cmd 00500 deny log logamount 500 all from any to any Here is the ipfw2 log Ipfw: 110 UNKNOWN UDP 10.0.10.5:1181 208.206.15.11:53 out via rl0 Ipfw: 170 Count UDP 67.20.101.103:1181 208.206.15.11:53 out via rl0 Ipfw: 311 Accept UDP 67.20.101.103:1181 208.206.15.11:53 out via rl0 Ipfw: 110 UNKNOWN UDP 208.206.15.11:53 67.20.101.103:1181 in via rl0 Ipfw: 311 Accept UDP 208.206.15.11:53 67.20.101.103:1181 in via rl0 Ipfw: 110 UNKNOWN ICMP:3.3 67.20.101.103 208.206.15.11 out via rl0 Ipfw: 170 Count ICMP:3.3 67.20.101.103 208.206.15.11 out via rl0 Ipfw: 350 Accept ICMP:3.3 67.20.101.103 208.206.15.11 out via rl0 Ipfw: 110 UNKNOWN UDP 10.0.10.5:1181 208.206.15.11:53 out via rl0 Ipfw: 170 Count UDP 67.20.101.103:1181 208.206.15.11:53 out via rl0 Ipfw: 311 Accept UDP 67.20.101.103:1181 208.206.15.11:53 out via rl0 Ipfw: 110 UNKNOWN UDP 208.206.15.11:53 67.20.101.103:1181 in via rl0 Ipfw: 311 Accept UDP 208.206.15.11:53 67.20.101.103:1181 in via rl0 Ipfw: 110 UNKNOWN ICMP:3.3 67.20.101.103 208.206.15.11 out via rl0 Ipfw: 350 Accept ICMP:3.3 67.20.101.103 208.206.15.11 out via rl0 Ipfw: 110 UNKNOWN UDP 10.0.10.5:1181 208.206.15.12:53 out via rl0 Ipfw: 170 Count UDP 67.20.101.103:1181 208.206.15.12:53 out via rl0 Ipfw: 311 Accept UDP 67.20.101.103:1181 208.206.15.12:53 out via rl0 Ipfw: 110 UNKNOWN UDP 208.206.15.12:53 67.20.101.103:1181 in via rl0 Ipfw: 311 Accept UDP 208.206.15.12:53 67.20.101.103:1181 in via rl0 Ipfw: 110 UNKNOWN ICMP:3.3 67.20.101.103 208.206.15.12 out via rl0 Ipfw: 170 Count ICMP:3.3 67.20.101.103 208.206.15.12 out via rl0 Ipfw: 350 Accept ICMP:3.3 67.20.101.103 208.206.15.12 out via rl0 When I change the rules to use pass all just to test if there is something wrong with my ISP's dns server, everything works. So there is no reason for the icmp 3.3 packet. # Flush out the list before we begin. /sbin/ipfw -q -f flush # Set rules command prefix cmd="ipfw -q add" # Internal gateway housekeeping $cmd 00100 allow all from any to any via lo0 # allow all localhost $cmd 00105 allow all from any to any via xl0 # allow all local Lan $cmd 00150 divert natd all from any to any $cmd 00160 allow log logamount 500 all from any to any Log from about rules file Ipfw: 160 Accept UDP 67.20.101.103:1175 208.206.15.11:53 out via rl0 Ipfw: 160 Accept UDP 208.206.15.11:53 10.0.10.5:1175 in via rl0 Ipfw: 160 Accept TCP 67.20.101.103:1176 216.136.204.117:80 out via rl0 Ipfw: 160 Accept TCP 216.136.204.117:80 10.0.10.5:1176 in via rl0 Ipfw: 160 Accept TCP 67.20.101.103:1176 216.136.204.117:80 out via rl0 Ipfw: 160 Accept TCP 67.20.101.103:1176 216.136.204.117:80 out via rl0 Ipfw: 160 Accept TCP 216.136.204.117:80 10.0.10.5:1176 in via rl0 Ipfw: 160 Accept TCP 67.20.101.103:1176 216.136.204.117:80 out via rl0 Ipfw: 160 Accept TCP 216.136.204.117:80 10.0.10.5:1176 in via rl0 This looks like 5.2 ipfw2 bug to me. Any body explain why ipfw2 is doing this?
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?MIEPLLIBMLEEABPDBIEGAENKFEAA.fbsd_user>