From owner-freebsd-hackers Thu Aug 2 0:23:31 2001 Delivered-To: freebsd-hackers@freebsd.org Received: from bugz.infotecs.ru (bugz.infotecs.ru [195.210.139.22]) by hub.freebsd.org (Postfix) with ESMTP id B93C437B401; Thu, 2 Aug 2001 00:23:23 -0700 (PDT) (envelope-from vel@bugz.infotecs.ru) Received: (from root@localhost) by bugz.infotecs.ru (8.11.1/8.11.1) id f727dbY02620; Thu, 2 Aug 2001 11:39:37 +0400 (MSD) (envelope-from vel) From: "Eugene L. Vorokov" Message-Id: <200108020739.f727dbY02620@bugz.infotecs.ru> Subject: ipfw "established" option To: freebsd-net@freebsd.org Date: Thu, 2 Aug 2001 11:39:37 +0400 (MSD) Cc: freebsd-hackers@freebsd.org X-Mailer: ELM [version 2.4ME+ PL82 (25)] MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=US-ASCII Sender: owner-freebsd-hackers@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Hello, I've found some strange issue regarding ipfw. I have freebsd 4.2-RELEASE. Guess I have rules: 1 allow tcp from any to 195.210.139.22 established 2 deny tcp from any to 195.210.139.22 2 allow all from any to any The intention is to allow the machine itself connect outside and accept responces once connection is established, but deny attepmts to connect to this machine from outside. I was thinking that first packet which tries to establish TCP connection should never match rule 1. However, I've found that it depends on which operating system tries to connect in ! When I try this from machine with freebsd 4.3-RELEASE, it gets dropped as expected. tcpdump on my machine says: 11:15:01.841594 195.222.16.243.1117 > 195.210.139.22.21: S 3910802910:3910802910(0) win 16384 (DF) [tos 0x10] 11:15:04.911908 195.222.16.243.1117 > 195.210.139.22.21: S 3910802910:3910802910(0) win 16384 (DF) [tos 0x10] 11:15:07.804934 195.222.16.243.1117 > 195.210.139.22.21: S 3910802910:3910802910(0) win 16384 (DF) [tos 0x10] Okay, that's fine. But then I try the same from Linux machine (2.4.5). I am able to successfully telnet in ! tcpdump says: 11:15:51.479203 195.230.76.28.39925 > 195.210.139.22.21: S [ECN-Echo,CWR] 4162184178:4162184178(0) win 5840 (DF) [tos 0x10] 11:15:51.479466 195.210.139.22.21 > 195.230.76.28.39925: S 2404031587:2404031587(0) ack 4162184179 win 17520 (DF) 11:15:51.565124 195.230.76.28.39925 > 195.210.139.22.21: . ack 1 win 5840 (DF) [tos 0x10] 11:15:51.590818 195.210.139.22.21 > 195.230.76.28.39925: P 1:58(57) ack 1 win 17520 (DF) [tos 0x10] 11:15:51.648107 195.230.76.28.39925 > 195.210.139.22.21: . ack 58 win 5840 (DF) [tos 0x10] Firewall logs also say that the initial packet matched the rule 1 and was passed. Why is it like that ? Am I missing something ? Regards, Eugene To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message