From owner-freebsd-net@FreeBSD.ORG Thu Apr 3 23:41:04 2008 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 92075106566C for ; Thu, 3 Apr 2008 23:41:04 +0000 (UTC) (envelope-from erikt@midgard.homeip.net) Received: from ch-smtp02.sth.basefarm.net (ch-smtp02.sth.basefarm.net [80.76.149.213]) by mx1.freebsd.org (Postfix) with ESMTP id 38DF08FC1A for ; Thu, 3 Apr 2008 23:41:04 +0000 (UTC) (envelope-from erikt@midgard.homeip.net) Received: from c83-253-25-183.bredband.comhem.se ([83.253.25.183]:62423 helo=falcon.midgard.homeip.net) by ch-smtp02.sth.basefarm.net with esmtp (Exim 4.68) (envelope-from ) id 1JhZ3H-0003FT-7A for freebsd-net@freebsd.org; Fri, 04 Apr 2008 01:41:03 +0200 Received: (qmail 87566 invoked from network); 4 Apr 2008 01:40:59 +0200 Received: from owl.midgard.homeip.net (10.1.5.7) by falcon.midgard.homeip.net with ESMTP; 4 Apr 2008 01:40:59 +0200 Received: (qmail 53449 invoked by uid 1001); 4 Apr 2008 01:40:59 +0200 Date: Fri, 4 Apr 2008 01:40:59 +0200 From: Erik Trulsson To: Ivan Voras Message-ID: <20080403234059.GA53417@owl.midgard.homeip.net> Mail-Followup-To: Ivan Voras , freebsd-net@freebsd.org References: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.17 (2007-11-01) X-Originating-IP: 83.253.25.183 X-Scan-Result: No virus found in message 1JhZ3H-0003FT-7A. X-Scan-Signature: ch-smtp02.sth.basefarm.net 1JhZ3H-0003FT-7A 8b7a739b805a5ab5cf0a9c13a259232e Cc: freebsd-net@freebsd.org Subject: Re: Trouble with IPFW or TCP? X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 03 Apr 2008 23:41:04 -0000 On Fri, Apr 04, 2008 at 01:34:07AM +0200, Ivan Voras wrote: > In which case would an ipfw ruleset like this: > > 00100 114872026 40487887607 allow ip from any to any via lo0 > 00200 0 0 deny ip from any to 127.0.0.0/8 > 00300 0 0 deny ip from 127.0.0.0/8 to any > 00600 1585 112576 deny ip from table(0) to me > 01000 90279 7325972 allow icmp from any to any > 05000 475961039 334422494257 allow tcp from me to any setup keep-state > 05100 634155 65779377 allow udp from me to any keep-state > 06022 409604 69177326 allow tcp from any to me dst-port 22 setup > keep-state > 06080 52159025 43182548092 allow tcp from any to me dst-port 80 setup > keep-state > 06443 6392366 2043532158 allow tcp from any to me dst-port 443 setup > keep-state > 07020 517065 292377553 allow tcp from any to me dst-port 8080 setup > keep-state > 65400 12273387 629703212 deny log ip from any to any > 65535 0 0 deny ip from any to any If you are using 'keep-state' should there not also be some rule containing 'check-state' ? > > Generate syslog messages like these: > > Apr 4 01:02:06 my.ip kernel: ipfw: 65400 Deny TCP xx.xx.xx.xx:60725 > my.ip.my.ip:443 in via em0 > Apr 4 01:02:06 my.ip kernel: ipfw: 65400 Deny TCP xx.xx.xx.xx:57387 > my.ip.my.ip:443 in via em0 > Apr 4 01:02:06 my.ip kernel: ipfw: 65400 Deny TCP xx.xx.xx.xx:57387 [snip] -- Erik Trulsson ertr1013@student.uu.se