Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 12 Dec 2005 10:16:40 -0600
From:      Scot Hetzel <swhetzel@gmail.com>
To:        Graham Menhennitt <gmenhennitt@optusnet.com.au>
Cc:        freebsd-stable@freebsd.org
Subject:   Re: puzzling "ipfw show" output
Message-ID:  <790a9fff0512120816v1f449490sd59a80a380870932@mail.gmail.com>
In-Reply-To: <439D3053.3020504@optusnet.com.au>
References:  <439D3053.3020504@optusnet.com.au>
next in thread | previous in thread | raw e-mail | index | archive | help 
On 12/12/05, Graham Menhennitt <gmenhennitt@optusnet.com.au> wrote:
> I got the following output from "ipfw show" in my daily security run outp=
ut email.
>
> +++ /tmp/security.yri47lgA      Mon Dec 12 03:01:45 2005
> +00522  3530 1204158 deny ip from 10.0.0.0/8 to any via sis1
> +02522    18     784 deny tcp from any to any in via sis1 setup
> +65530     0       0 deny ip from any to any
> +65535     2     688 deny ip from any to any
>
> Could somebody please explain to me how those packets got past rule 65530=
 to be stopped by (the identical) rule 65535? The ipfw rules have not chang=
ed since the machine rebooted. The only explanation I have is that the pack=
ets arrived between the time when the machine started accepting incoming pa=
ckets and when the rules were loaded in /etc/rc.d/ipfw.
>
> If that's the case, it's a pretty good argument for defaulting to rejecti=
ng packets. Didn't somebody here suggest that this wasn't really necessary =
a few weeks ago (something to do with using pf)?
>
This is exactly what compiling your kernel with IPFIREWALL does, it
defaults to denying packets by default.  You can change this behavior
by adding IPFIREWALL_DEFAULT_TO_ACCEPT but is strongly discouraged.

See sys/conf/NOTES (
http://www.freebsd.org/cgi/cvsweb.cgi/src/sys/conf/NOTES?rev=3D1.1337&conte=
nt-type=3Dtext/x-cvsweb-markup
)

for pf you need to add IPFILTER_DEFAULT_BLOCK to block packets by default.

Scot
--
DISCLAIMER:
No electrons were mamed while sending this message. Only slightly bruised.

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?790a9fff0512120816v1f449490sd59a80a380870932>