Date: Wed, 11 Apr 2001 23:31:16 -0700 From: Gregory Neil Shapiro <gshapiro@freebsd.org> To: freebsd-ipfw@freebsd.org Subject: ipfw dynamic rulesets broken for me Message-ID: <15061.19380.659608.578985@horsey.gshapiro.net>
next in thread | raw e-mail | index | archive | help
I tried switching from using the established check to keeping state and it isn't work as expected. Dynamic rules timeout on open connections (e.g., ssh connections that I haven't used for about 10 minutes but are still open). Also, by the time a TCP connection goes from CLOSE_WAIT to LAST_ACK, the dynamic rule is gone and the LAST_ACK is denied (and therefore the connection lingers). I've included my fairly simple ipfw ruleset below. Any help is appreciated. # Clear the list -f flush # localhost add 01000 allow ip from any to any via lo0 # Check state table add 02000 check-state add 02000 deny log tcp from any to any established # Stop RFC1918 nets add 10010 deny log ip from 10.0.0.0/8 to any add 10010 deny log ip from any to 10.0.0.0/8 add 10127 deny log ip from 127.0.0.0/8 to any add 10127 deny log ip from any to 127.0.0.0/8 add 10172 deny log ip from 172.16.0.0/12 to any add 10172 deny log ip from any to 172.16.0.0/12 add 10192 deny log ip from 192.168.0.0/16 to any add 10192 deny log ip from any to 192.168.0.0/16 # Open for services we want to offer # ssh, smtp, identd add 20000 allow tcp from any to me 22,25,113 setup in keep-state # Allow DHCP to work add 20068 allow udp from any 67 to me 68 in # Allow outgoing connections add 30000 allow tcp from me to any setup out keep-state add 30010 allow udp from me to any out keep-state add 30020 allow icmp from me to any out keep-state # Denies we don't care to log add 40000 deny udp from any 138 to any 138 in # Never assume the kernel default add 65534 deny log ip from any to any To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?15061.19380.659608.578985>