From owner-freebsd-stable@FreeBSD.ORG Mon Dec 12 16:16:49 2005 Return-Path: X-Original-To: freebsd-stable@freebsd.org Delivered-To: freebsd-stable@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0BF6816A41F for ; Mon, 12 Dec 2005 16:16:49 +0000 (GMT) (envelope-from swhetzel@gmail.com) Received: from xproxy.gmail.com (xproxy.gmail.com [66.249.82.205]) by mx1.FreeBSD.org (Postfix) with ESMTP id 048DD43D5E for ; Mon, 12 Dec 2005 16:16:47 +0000 (GMT) (envelope-from swhetzel@gmail.com) Received: by xproxy.gmail.com with SMTP id i31so1034352wxd for ; Mon, 12 Dec 2005 08:16:46 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=ErinM3/OpVvbvxCLmbaL9Z4K75XHXCCDFZ+wS65ndbWRuVVpsjHYzWaz8476xYGbxYt3GRQXcApqLr6kP8DLhBpSU9sDZUue/SyoBMHAIzBuwVmI22kOc1VZKG5OasyZdNv7hN118+Hxqp11jDb7k7yXAMe9vPBtBIE/LxAWe6A= Received: by 10.70.96.9 with SMTP id t9mr9646498wxb; Mon, 12 Dec 2005 08:16:40 -0800 (PST) Received: by 10.70.31.5 with HTTP; Mon, 12 Dec 2005 08:16:40 -0800 (PST) Message-ID: <790a9fff0512120816v1f449490sd59a80a380870932@mail.gmail.com> Date: Mon, 12 Dec 2005 10:16:40 -0600 From: Scot Hetzel To: Graham Menhennitt In-Reply-To: <439D3053.3020504@optusnet.com.au> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline References: <439D3053.3020504@optusnet.com.au> Cc: freebsd-stable@freebsd.org Subject: Re: puzzling "ipfw show" output X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 12 Dec 2005 16:16:49 -0000 On 12/12/05, Graham Menhennitt wrote: > I got the following output from "ipfw show" in my daily security run outp= ut email. > > +++ /tmp/security.yri47lgA Mon Dec 12 03:01:45 2005 > +00522 3530 1204158 deny ip from 10.0.0.0/8 to any via sis1 > +02522 18 784 deny tcp from any to any in via sis1 setup > +65530 0 0 deny ip from any to any > +65535 2 688 deny ip from any to any > > Could somebody please explain to me how those packets got past rule 65530= to be stopped by (the identical) rule 65535? The ipfw rules have not chang= ed since the machine rebooted. The only explanation I have is that the pack= ets arrived between the time when the machine started accepting incoming pa= ckets and when the rules were loaded in /etc/rc.d/ipfw. > > If that's the case, it's a pretty good argument for defaulting to rejecti= ng packets. Didn't somebody here suggest that this wasn't really necessary = a few weeks ago (something to do with using pf)? > This is exactly what compiling your kernel with IPFIREWALL does, it defaults to denying packets by default. You can change this behavior by adding IPFIREWALL_DEFAULT_TO_ACCEPT but is strongly discouraged. See sys/conf/NOTES ( http://www.freebsd.org/cgi/cvsweb.cgi/src/sys/conf/NOTES?rev=3D1.1337&conte= nt-type=3Dtext/x-cvsweb-markup ) for pf you need to add IPFILTER_DEFAULT_BLOCK to block packets by default. Scot -- DISCLAIMER: No electrons were mamed while sending this message. Only slightly bruised.