Date: Tue, 22 Jan 2002 20:31:12 -0500 From: Ray Kohler <rkohler1@cox.rr.com> To: Scott Nolde <scott@smnolde.com> Cc: <freebsd-questions@FreeBSD.ORG> Subject: Re: Some questions about ipfw Message-ID: <097f55727011712FE8@mail8.mgfairfax.rr.com> In-Reply-To: <20020122200126.A48937-100000@bsd.smnolde.com> References: <20020122200126.A48937-100000@bsd.smnolde.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tuesday 22 January 2002 08:04 pm, Scott Nolde wrote: > Thus sayeth the previous author: > >Date: Tue, 22 Jan 2002 19:33:06 -0500 > >From: Ray Kohler <rkohler1@cox.rr.com> > >To: freebsd-questions@FreeBSD.ORG > >Subject: Some questions about ipfw > > >I have 3 questions: > > > >1) Why does the rc.firewall script use "setup" and > > "established" rules for tcp instead of keep-state like it does > > for udp? > > Setup will allow the SYN packet through and established lets the > rest of the session's packets through. Sure, that's what the man page says, but what's the advantage of one over the other? > >3) I'm having trouble fetching ports even with > >FETCH_CMD= fetch -p set in make.conf. Eventually I get the > > file, but not until after a lot of servers are tried. In my > > logs I see a lot of: > > > >Jan 22 18:19:47 B1M1X9 /kernel: ipfw: 600 Deny TCP > > 199.232.41.9:20167 24.163.113.25:1039 in via rl0 Jan 22 > > 18:19:49 B1M1X9 /kernel: ipfw: 600 Deny TCP 130.94.149.162:21 > > 24.163.113.25:1032 in via rl0 Jan 22 18:19:59 B1M1X9 /kernel: > > ipfw: 600 Deny TCP 199.232.41.9:20167 24.163.113.25:1039 in > > via rl0 Jan 22 18:20:23 B1M1X9 /kernel: ipfw: 600 Deny TCP > > 199.232.41.9:20167 24.163.113.25:1039 in via rl0 > > > >where the "from" IPs belong to the about a dozen ftp servers > > I've tried, and the packet arrives a few minutes after fetch > > has given up on that server. (Why are these servers contacting > > me anyway when I'm using passive ftp, anyway?) > > This is a normal response after instituting the rules you've set > forth. You mean difficulty fetching distfiles? packets arriving late? random active ftp? packets like these being denied? What? (Sorry about the tone of this; I guess I'm a bit flabbergasted.) -- Ray Kohler Mother is far too clever to understand anything she does not like. -- Arnold Bennett To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?097f55727011712FE8>