Date: Thu, 03 Apr 2008 21:41:34 -0700 From: Julian Elischer <julian@elischer.org> To: Ian Smith <smithi@nimnet.asn.au> Cc: freebsd-net@freebsd.org, Ivan Voras <ivoras@freebsd.org> Subject: Re: Trouble with IPFW or TCP? Message-ID: <47F5B17E.5000304@elischer.org> In-Reply-To: <Pine.BSF.3.96.1080404123439.19138A-100000@gaia.nimnet.asn.au> References: <Pine.BSF.3.96.1080404123439.19138A-100000@gaia.nimnet.asn.au>
next in thread | previous in thread | raw e-mail | index | archive | help
Ian Smith wrote: > On Thu, 3 Apr 2008, Julian Elischer wrote: > > Ivan Voras wrote: > > > Erik Trulsson wrote: > > >> On Fri, Apr 04, 2008 at 01:34:07AM +0200, Ivan Voras wrote: > > >>> In which case would an ipfw ruleset like this: > > >>> > > >>> 00100 114872026 40487887607 allow ip from any to any via lo0 > > >>> 00200 0 0 deny ip from any to 127.0.0.0/8 > > >>> 00300 0 0 deny ip from 127.0.0.0/8 to any > > >>> 00600 1585 112576 deny ip from table(0) to me > > >>> 01000 90279 7325972 allow icmp from any to any > > >>> 05000 475961039 334422494257 allow tcp from me to any setup keep-state > > >>> 05100 634155 65779377 allow udp from me to any keep-state > > >>> 06022 409604 69177326 allow tcp from any to me dst-port 22 > > >>> setup keep-state > > >>> 06080 52159025 43182548092 allow tcp from any to me dst-port 80 > > >>> setup keep-state > > >>> 06443 6392366 2043532158 allow tcp from any to me dst-port 443 > > >>> setup keep-state > > >>> 07020 517065 292377553 allow tcp from any to me dst-port 8080 > > >>> setup keep-state > > >>> 65400 12273387 629703212 deny log ip from any to any > > >>> 65535 0 0 deny ip from any to any > > >> > > >> If you are using 'keep-state' should there not also be some rule > > >> containing > > >> 'check-state' ? > > > > > > Not according to the ipfw(8) manual: > > > > > > """ > > > These dynamic rules, which have a limited lifetime, are checked at the > > > first occurrence of a check-state, keep-state or limit rule, and > > > are typ- > > > ically used to open the firewall on-demand to legitimate traffic only. > > > See the STATEFUL FIREWALL and EXAMPLES Sections below for more > > > informa- > > > tion on the stateful behaviour of ipfw. > > > """ > > > > > > I read this to mean the dynamic rules are checked at rule #5000 from the > > > above list. Is there an advantage to having an explicit check-state rule > > > in simple rulesets like this one? > > > > the docs are wrong then I think. > > If so, they've been wrong since 4.something .. certainly before 4.8. > It's hard to imagine nobody else has ever relied on that doc behaviour, > so perhaps the docs, if wrong, have become so at some more recent time? Not that I have known... keep-state does not (and never has) include an implicit check-state. I think the document is talking about the lifetime. Each time a keep-state or check-state or limit is hit, the TTL is kicked. > > I guess the simple way to find out is for Ivan to add a check-state > somewhere before the first keep-state, affecting all new connections. > > If that doesn't fix the problem, then it looks like the denied packets > really are coming in from non-established sessions, as they would appear > on the surface - if it wasn't known that the sources should be good! > > No chance net.inet.ip.fw.dyn_count is hitting net.inet.ip.fw.dyn_max ? > > cheers, Ian > > _______________________________________________ > freebsd-net@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-net > To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?47F5B17E.5000304>