ipfw statefull ruleset problem

Gerard Meijer gmeijer at palmweb.nl
Sat Jan 29 14:34:42 PST 2005 

Okay, I understand. But that doesn't solve the problem, right? I think that 
what you say is more or less the same as what I have:

you say:
500 check-state
i have:
00015 check-state

you say:
1100 pass tcp from any to ${intip} 21 in via ${int} setup keep-state
i have:
00410 allow tcp from any to me 21 in via $pif setup limit src-addr 2

The rule I don't have is your 1204. Outbound through port 20. I don't know 
why you have that one.

My problem is that the initialization goes okay, but then the the other pc 
seems to switch ports and the connection is denied.

I think I just understand you wrong. Sorry for that. I really appreciate 
your help, but can you explain what is different in the rules you have and 
that I have and why yours should work and mine don't?

Thanks!
----- Original Message ----- 
From: "Vahric MUHTARYAN" <vahric at doruk.net.tr>
To: "'Gerard Meijer'" <gmeijer at palmweb.nl>; <freebsd-ipfw at freebsd.org>
Sent: Saturday, January 29, 2005 11:22 PM
Subject: RE: ipfw statefull ruleset problem


> No no ,
>
> 400 will drop all fragmanted packages
> 500 will provide you state check
> 600 will deny all established ( Because we don't want any established
> packets past from firewall we want to check all packates state and also 
> did
> it 500 )
> 1100 will allow ftp connection to your ip address
> 1204 allow your machine turn to client for data transfer
>
> Pls see active ftp from this address : http://slacksite.com/other/ftp.html
>
> For pop3 connection and for smtp connection use those .
>
> ${fwcmd} add 1000 pass tcp from any to ${intip} 110 in via ${int} setup
> keep-state
>
> With this you can make a pop3 connection ......
>
> ${fwcmd} add 1001 pass tcp from any to ${intip} 25 in via ${int} setup
> keep-state
>
> With this you can make a smtp connection to your server
>
> Vahric
>
> -----Original Message-----
> From: Gerard Meijer [mailto:gmeijer at palmweb.nl]
> Sent: Sunday, January 30, 2005 12:06 AM
> To: Vahric MUHTARYAN; freebsd-ipfw at freebsd.org
> Subject: Re: ipfw statefull ruleset problem
>
> Do you mean that I should change 'allow' to 'pass'? What exactly does 
> pass?
>
> Thanks!
> ----- Original Message ----- 
> From: "Vahric MUHTARYAN" <vahric at doruk.net.tr>
> To: "'Gerard Meijer'" <gmeijer at palmweb.nl>; <freebsd-ipfw at freebsd.org>
> Sent: Saturday, January 29, 2005 10:27 PM
> Subject: RE: ipfw statefull ruleset problem
>
>
>> Use like this
>>
>> intip="your machine ip address"
>> int="yourinterfacefor example fxp0 for intel"
>>
>> ${fwcmd} add 400 drop all from any to any frag
>> ${fwcmd} add 500 check-state
>> ${fwcmd} add 600 deny tcp from any to any established
>> ${fwcmd} add 1100 pass tcp from any to ${intip} 21 in via ${int} setup
>> keep-state
>> ${fwcmd} add 1204 pass tcp from ${intip} 20 to any out via ${int} setup
>> keep-state
>>
>> Bye ...
>>
>> -----Original Message-----
>> From: owner-freebsd-ipfw at freebsd.org
>> [mailto:owner-freebsd-ipfw at freebsd.org]
>> On Behalf Of Gerard Meijer
>> Sent: Saturday, January 29, 2005 10:55 PM
>> To: freebsd-ipfw at freebsd.org
>> Subject: ipfw statefull ruleset problem
>>
>> Hi everyone,
>>
>> First of all, I'm not very experienced with ipfw, so if this is a stupid
>> question, I'm sorry.
>>
>> I have a question regarding my statefull ipfw ruleset. I have the
>> following
>> rules:
>>
>> ---begin---
>> $cmd 00015 check-state
>>
>> #www
>> $cmd 00200 allow tcp from any to any 80 out via $pif setup keep-state
>>
>> #mail
>> $cmd 00231 allow tcp from any to any 110 out via $pif setup keep-state
>>
>> #ftp
>> $cmd 00283 allow tcp from any to any 21 out via $pif setup keep-state
>>
>> # Allow in standard www function because I have apache server
>> $cmd 00400 allow tcp from any to me 80 in via $pif setup limit src-addr 2
>>
>> # Allow in FTP
>> $cmd 00410 allow tcp from any to me 21 in via $pif setup limit src-addr 2
>>
>> # Allow in mail
>> $cmd 00420 allow tcp from any to me 110 in via $pif
>> ---end---
>> (there are more rules, but these are the ones that it's about)
>>
>> The problem that I'm having is that I can't check mail, and can't FTP and
>> see a lot of:
>>
>> ipfw: 299 Deny TCP [my-server-ip]:80 [some-ip]:[some-port-other-than-80]
>> out
>> via em0
>>
>> messages in my logfile.
>>
>> When I try to check mail I see in my log:
>>
>> ipfw: 299 Deny TCP [my-server-ip]:110
>> [my-home-pc-ip]:[some-port-other-than-110] out via em0
>>
>> What happens (I think, as far as I understand ipfw), there is an
>> connection
>> setup on port 21/80/110 (ftp/http/mail), which is allowed by the rules. A
>> dynamic rules is created, but then the other computer switches ports. The
>> check-state command checks for a dynamic rule, but the port doesn't match
>> anymore and so it doesn't find a dynamic rule and the other rules also
>> don't
>> apply, since they only allow connection initialization. Am I correct?
>>
>> I can solve all this by putting in the rule:
>>
>> # $cmd 00020 allow tcp from any to any established
>>
>> But I learned that that is not the right way to do this in a statefull
>> ruleset, because the dynamic rules don't have any use in this way. So 
>> what
>> is the right way to solve this?
>>
>> Thanks a lot in advance!
>> _______________________________________________
>> freebsd-ipfw at freebsd.org mailing list
>> http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
>> To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe at freebsd.org"
>>
>>
>> _______________________________________________
>> freebsd-ipfw at freebsd.org mailing list
>> http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
>> To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe at freebsd.org"
>>
>
>

More information about the freebsd-ipfw mailing list