ipfw statefull ruleset problem
Vahric MUHTARYAN
vahric at doruk.net.tr
Sat Jan 29 13:27:44 PST 2005
Use like this
intip="your machine ip address"
int="yourinterfacefor example fxp0 for intel"
${fwcmd} add 400 drop all from any to any frag
${fwcmd} add 500 check-state
${fwcmd} add 600 deny tcp from any to any established
${fwcmd} add 1100 pass tcp from any to ${intip} 21 in via ${int} setup
keep-state
${fwcmd} add 1204 pass tcp from ${intip} 20 to any out via ${int} setup
keep-state
Bye ...
-----Original Message-----
From: owner-freebsd-ipfw at freebsd.org [mailto:owner-freebsd-ipfw at freebsd.org]
On Behalf Of Gerard Meijer
Sent: Saturday, January 29, 2005 10:55 PM
To: freebsd-ipfw at freebsd.org
Subject: ipfw statefull ruleset problem
Hi everyone,
First of all, I'm not very experienced with ipfw, so if this is a stupid
question, I'm sorry.
I have a question regarding my statefull ipfw ruleset. I have the following
rules:
---begin---
$cmd 00015 check-state
#www
$cmd 00200 allow tcp from any to any 80 out via $pif setup keep-state
#mail
$cmd 00231 allow tcp from any to any 110 out via $pif setup keep-state
#ftp
$cmd 00283 allow tcp from any to any 21 out via $pif setup keep-state
# Allow in standard www function because I have apache server
$cmd 00400 allow tcp from any to me 80 in via $pif setup limit src-addr 2
# Allow in FTP
$cmd 00410 allow tcp from any to me 21 in via $pif setup limit src-addr 2
# Allow in mail
$cmd 00420 allow tcp from any to me 110 in via $pif
---end---
(there are more rules, but these are the ones that it's about)
The problem that I'm having is that I can't check mail, and can't FTP and
see a lot of:
ipfw: 299 Deny TCP [my-server-ip]:80 [some-ip]:[some-port-other-than-80] out
via em0
messages in my logfile.
When I try to check mail I see in my log:
ipfw: 299 Deny TCP [my-server-ip]:110
[my-home-pc-ip]:[some-port-other-than-110] out via em0
What happens (I think, as far as I understand ipfw), there is an connection
setup on port 21/80/110 (ftp/http/mail), which is allowed by the rules. A
dynamic rules is created, but then the other computer switches ports. The
check-state command checks for a dynamic rule, but the port doesn't match
anymore and so it doesn't find a dynamic rule and the other rules also don't
apply, since they only allow connection initialization. Am I correct?
I can solve all this by putting in the rule:
# $cmd 00020 allow tcp from any to any established
But I learned that that is not the right way to do this in a statefull
ruleset, because the dynamic rules don't have any use in this way. So what
is the right way to solve this?
Thanks a lot in advance!
_______________________________________________
freebsd-ipfw at freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe at freebsd.org"
More information about the freebsd-ipfw
mailing list