Skip site navigation (1)Skip section navigation (2) 
Date:      Sat, 2 Feb 2002 09:51:43 -0800
From:      "Crist J. Clark" <cristjc@earthlink.net>
To:        Bovine Unit #243 <bov243@yahoo.com>
Cc:        FreeBSD Questions <freebsd-questions@FreeBSD.ORG>
Subject:   Re: reset TCP in ipfw
Message-ID:  <20020202095143.B1280@gohan.cjclark.org>
In-Reply-To: <Pine.BSF.4.43.0202020237240.64259-100000@kristen.shadowdale.net>; from bov243@yahoo.com on Sat, Feb 02, 2002 at 02:38:36AM -0600
References:  <20020131213029.I152@gohan.cjclark.org> <Pine.BSF.4.43.0202020237240.64259-100000@kristen.shadowdale.net>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Sat, Feb 02, 2002 at 02:38:36AM -0600, Bovine Unit #243 wrote:
> > > ...
> > > 10000 divert 6668 ip from any to any via fxp0
> > > ...
> > > 49990 reset tcp log from any to any in recv fxp0
> > > 49999 deny  tcp log from any to any in recv fxp0
> > >
> > > Well, the problem with that reset is that it's being blocked by the very
> > > next rule. Dang! I did not know firewall would block its own action.
> > > Hmm...
> >
> > Hmmm? How is the firewall blocking its own action? I'm not sure if you
> > are interpreting your logs correctly. I don't see how anything could
> > ever match rule 49999.
> 
> Woo. Me bad! That rule should read:
> 
> 49999 deny tcp log from any to any via fxp0
> 
> My fingers slipped.

Ah. So now I see the trouble. The TCP RSTs generated by 49999 get run
back through the firewall on their way out and end up matching
49999. You don't want to remove 49999 since you want to control what
leaves your network. Got it.

I think,

  # ipfw add 49991 pass tcp from any to any out via fxp0 tcpflags rst

Would do what you want. It lets out the resets, but nothing else. And
it won't let your users make connections you do not approve of. 
-- 
Crist J. Clark                     |     cjclark@alum.mit.edu
                                   |     cjclark@jhu.edu
http://people.freebsd.org/~cjc/    |     cjc@freebsd.org

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020202095143.B1280>