ipfw dynamic tcp rule issue

Ian FREISLICH if at hetzner.co.za
Thu Sep 9 03:33:22 PDT 2004

George S wrote:
> > I thought you had to explicitly state the check-state.  Anyway,
> > I've just noticed that your last rule is #65655 which is higher
> > than the max for an unsigned short.  Depending how this overflow
> > is handled, you might get odd behaviour.  This might just result
> > in the packet being denied by the default deny rule on the way out
> > of fxp0.  Try adding a rule just before the default deny to log
> > matches.  It's almost always useful to do this anyway when playing
> > with the ruleset until everything works.
> Sorry, that was a typo on my part... the the last rule should be #65534. In
> any event, the packet rule counters are zero for this rule anyway.
> > I would have done the rules as follows:
> > 
> > ipfw add 00010 fwd tcp from to any in via fxp0
> > ipfw add 00020 fwd tcp from any to in via fxp1
> > ipfw add 65534 allow ip from any to any
> > 
> > Is there any particular reason for wanting a stateful firewall in
> > this case?
> Yes, it is to differentiate between the following cases of returning SYN+ACK
> packets received by fxp1:
> 1. A packet that is responding to the SYN packet originating from A (src ip
> 2. A packet that is responding to a SYN packet originating from B (also with
> src ip
> Indeed this works, because if I send my test SYN packet from B (src ip
>, the returning SYN+ACK triggers rule #9 (allow ip from any to any)
> and the packet is not forwarded out the fxp0 interface.
> I am still at a loss as to why the packet counts get updated and yet the
> packet itself is not written out on the wire. Any other suggestions?

Did you try the logging deny rule?  If you did, then I am out of ideas.


Ian Freislich

More information about the freebsd-net mailing list