Date: Sun, 10 Nov 2002 00:05:44 +0200 From: "Giorgos Keramidas" <keramida@FreeBSD.org> To: "Micael Ebbmar" <micke@ebbmar.net>, <freebsd-questions@FreeBSD.org> Subject: Re: IPFW2 denies packet although they match ALLOW rule? Message-ID: <006b01c2883c$bf360900$42d7cdd4@LocalHost> References: <20021109171923.GA41802@h173n2fls21o55>
next in thread | previous in thread | raw e-mail | index | archive | help
Please wrap your posts (everything except for computer output), below 70-80 columns. It's very hard to read otherwise :-/ Micael Ebbmar <micke@ebbmar.net> wrote: : Excuse me if I'm posting to the wrong list, I thought at first that : freebsd-ipfw should be the correct one, but obviously only : discussion about the redesign of IPFW should be discussed there. True. : A week ago, I made the transition from IPFW to IPFW2 (on my : 4.7-Stable box), and I thought it would be a good idea to rewrite my : previous stateless rules to stateful. After a few days I noticed in : /var/log security that IPFW once in a while blocks outbound packets : to my pop servers and a webserver, which I've allowed in a previously : rule (0310). I still can pop my mail and browse the web without any : problems, but I'm stil curious why it denies the packets. Can it be : that the stateful rule has expired and the interface is : resending/receiving some old packets? If so, is that normal or an : indication of a broken NIC? Or is any of the sysctl variables : net.inet.ip.fw.* too short? (Haven't touched them yet) Web clients some times cache connections to web servers, hoping to save some time from avoiding a reconnect for every GET request. Could it be that your clients thinks that a cached connection is still valid long after the dynamic ipfw rule has expired? : Log snippet of /var/log/security: :=20 : Nov 8 00:25:42 grendel /kernel: ipfw: 1000 Deny TCP 213.64.x.x:1938 = 207.174.189.161:80 out via ep1 : Nov 8 00:26:12 grendel /kernel: ipfw: 1000 Deny TCP 213.64.x.x:1940 = 207.174.189.161:80 out via ep1 : Nov 8 00:26:12 grendel /kernel: ipfw: 1000 Deny TCP 213.64.x.x:1938 = 207.174.189.161:80 out via ep1 : [...] : And my rules look like this: :=20 : add 0200 reset log tcp from any to any 113 : add 0300 check-state : add 0305 deny tcp from any to any in established : add 0310 allow tcp from any to any out setup keep-state : [...] : add 0350 allow tcp from me to 10.0.0.6 80 setup keep-state Doesn't rule 0310 make rule 0350 redundant? : add 1000 deny log logamount 1000 ip from any to any via ep1 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?006b01c2883c$bf360900$42d7cdd4>