Date: Mon, 12 Dec 2005 10:16:40 -0600 From: Scot Hetzel <swhetzel@gmail.com> To: Graham Menhennitt <gmenhennitt@optusnet.com.au> Cc: freebsd-stable@freebsd.org Subject: Re: puzzling "ipfw show" output Message-ID: <790a9fff0512120816v1f449490sd59a80a380870932@mail.gmail.com> In-Reply-To: <439D3053.3020504@optusnet.com.au> References: <439D3053.3020504@optusnet.com.au>
next in thread | previous in thread | raw e-mail | index | archive | help
On 12/12/05, Graham Menhennitt <gmenhennitt@optusnet.com.au> wrote: > I got the following output from "ipfw show" in my daily security run output email. > > +++ /tmp/security.yri47lgA Mon Dec 12 03:01:45 2005 > +00522 3530 1204158 deny ip from 10.0.0.0/8 to any via sis1 > +02522 18 784 deny tcp from any to any in via sis1 setup > +65530 0 0 deny ip from any to any > +65535 2 688 deny ip from any to any > > Could somebody please explain to me how those packets got past rule 65530 to be stopped by (the identical) rule 65535? The ipfw rules have not changed since the machine rebooted. The only explanation I have is that the packets arrived between the time when the machine started accepting incoming packets and when the rules were loaded in /etc/rc.d/ipfw. > > If that's the case, it's a pretty good argument for defaulting to rejecting packets. Didn't somebody here suggest that this wasn't really necessary a few weeks ago (something to do with using pf)? > This is exactly what compiling your kernel with IPFIREWALL does, it defaults to denying packets by default. You can change this behavior by adding IPFIREWALL_DEFAULT_TO_ACCEPT but is strongly discouraged. See sys/conf/NOTES ( http://www.freebsd.org/cgi/cvsweb.cgi/src/sys/conf/NOTES?rev=1.1337&content-type=text/x-cvsweb-markup ) for pf you need to add IPFILTER_DEFAULT_BLOCK to block packets by default. Scot -- DISCLAIMER: No electrons were mamed while sending this message. Only slightly bruised.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?790a9fff0512120816v1f449490sd59a80a380870932>