kern/129103: IPFW check state does not work =(

Eugen Konkov kes-kes at yandex.ru
Sun Nov 23 14:00:06 PST 2008 

>Number:         129103
>Category:       kern
>Synopsis:       IPFW check state does not work =(
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sun Nov 23 22:00:05 UTC 2008
>Closed-Date:
>Last-Modified:
>Originator:     Eugen Konkov
>Release:        7.1-PRERELEASE
>Organization:
ISP Konkov
>Environment:
FreeBSD home.kes.net.ua 7.1-PRERELEASE FreeBSD 7.1-PRERELEASE #: Sun Nov 23 17:19:12 EET 2008     kes at home.kes.net.ua:/usr/obj/usr/src/sys/KES_KERN_v7  i386

>Description:
home# ipfw -de show
00001    0      0 check-state
00002    6    360 count log icmp from any to any via ng0
00003    5    300 prob 0.500000 skipto 6 log icmp from any to any via ng0
00004    8    480 skipto 5 log icmp from any to any via ng0 keep-state
00005    3    180 skipto 10 log icmp from any to any via ng0
00006    3    180 skipto 7 log icmp from any to any via ng0 keep-state
00007    3    180 count log icmp from any to any via ng0
00010    6    360 count log icmp from any to any via ng0
00099   47   2924 nat 1 ip from any to any via ng0
00100   12   2036 allow ip from any to any via lo0
00200    0      0 deny ip from any to 127.0.0.0/8
00300    0      0 deny ip from 127.0.0.0/8 to any
10000 1341 231865 allow ip from any to any
65535    0      0 deny ip from any to any
## Dynamic rules (2):
00004    7    420 (0s) STATE icmp 192.168.9.4 0 <-> 213.180.204.8 0
00006    2    120 (0s) STATE icmp 213.180.204.8 0 <-> 91.124.239.145 0

Why 5 packets for rule 3 and 8 packets for rule 4?

cat security
Nov 23 23:18:39 home kernel: ipfw: 2 Count ICMP:8.0 192.168.9.4 213.180.204.8 out via ng0
Nov 23 23:18:39 home kernel: ipfw: 4 SkipTo 5 ICMP:8.0 192.168.9.4 213.180.204.8 out via ng0
Nov 23 23:18:39 home kernel: ipfw: 5 SkipTo 10 ICMP:8.0 192.168.9.4 213.180.204.8 out via ng0
Nov 23 23:18:39 home kernel: ipfw: 10 Count ICMP:8.0 192.168.9.4 213.180.204.8 out via ng0
Nov 23 23:18:39 home kernel: ipfw: 2 Count ICMP:0.0 213.180.204.8 91.124.239.145 in via ng0
Nov 23 23:18:39 home kernel: ipfw: 3 SkipTo 6 ICMP:0.0 213.180.204.8 91.124.239.145 in via ng0
Nov 23 23:18:39 home kernel: ipfw: 6 SkipTo 7 ICMP:0.0 213.180.204.8 91.124.239.145 in via ng0
Nov 23 23:18:39 home kernel: ipfw: 7 Count ICMP:0.0 213.180.204.8 91.124.239.145 in via ng0
Nov 23 23:18:39 home kernel: ipfw: 10 Count ICMP:0.0 213.180.204.8 91.124.239.145 in via ng0
Nov 23 23:18:39 home kernel: ipfw: 4 SkipTo 5 ICMP:0.0 213.180.204.8 192.168.9.4 out via ng1
Nov 23 23:18:40 home kernel: ipfw: 4 SkipTo 5 ICMP:8.0 192.168.9.4 213.180.204.8 in via ng1
Nov 23 23:18:40 home kernel: ipfw: 2 Count ICMP:8.0 192.168.9.4 213.180.204.8 out via ng0
Nov 23 23:18:40 home kernel: ipfw: 3 SkipTo 6 ICMP:8.0 192.168.9.4 213.180.204.8 out via ng0
Nov 23 23:18:40 home kernel: ipfw: 4 SkipTo 5 ICMP:8.0 192.168.9.4 213.180.204.8 out via ng0
Nov 23 23:18:40 home kernel: ipfw: 5 SkipTo 10 ICMP:8.0 192.168.9.4 213.180.204.8 out via ng0
Nov 23 23:18:40 home kernel: ipfw: 10 Count ICMP:8.0 192.168.9.4 213.180.204.8 out via ng0
Nov 23 23:18:40 home kernel: ipfw: 2 Count ICMP:0.0 213.180.204.8 91.124.239.145 in via ng0
Nov 23 23:18:40 home kernel: ipfw: 3 SkipTo 6 ICMP:0.0 213.180.204.8 91.124.239.145 in via ng0
Nov 23 23:18:40 home kernel: ipfw: 6 SkipTo 7 ICMP:0.0 213.180.204.8 91.124.239.145 in via ng0
Nov 23 23:18:40 home kernel: ipfw: 7 Count ICMP:0.0 213.180.204.8 91.124.239.145 in via ng0
Nov 23 23:18:40 home kernel: ipfw: 10 Count ICMP:0.0 213.180.204.8 91.124.239.145 in via ng0
Nov 23 23:18:40 home kernel: ipfw: 4 SkipTo 5 ICMP:0.0 213.180.204.8 192.168.9.4 out via ng1
Nov 23 23:18:41 home kernel: ipfw: 4 SkipTo 5 ICMP:8.0 192.168.9.4 213.180.204.8 in via ng1
Nov 23 23:18:41 home kernel: ipfw: 2 Count ICMP:8.0 192.168.9.4 213.180.204.8 out via ng0
Nov 23 23:18:41 home kernel: ipfw: 3 SkipTo 6 ICMP:8.0 192.168.9.4 213.180.204.8 out via ng0
Nov 23 23:18:41 home kernel: ipfw: 4 SkipTo 5 ICMP:8.0 192.168.9.4 213.180.204.8 out via ng0
Nov 23 23:18:41 home kernel: ipfw: 5 SkipTo 10 ICMP:8.0 192.168.9.4 213.180.204.8 out via ng0
Nov 23 23:18:41 home kernel: ipfw: 10 Count ICMP:8.0 192.168.9.4 213.180.204.8 out via ng0
Nov 23 23:18:42 home kernel: ipfw: 2 Count ICMP:0.0 213.180.204.8 91.124.239.145 in via ng0
Nov 23 23:18:42 home kernel: ipfw: 3 SkipTo 6 ICMP:0.0 213.180.204.8 91.124.239.145 in via ng0
Nov 23 23:18:42 home kernel: ipfw: 6 SkipTo 7 ICMP:0.0 213.180.204.8 91.124.239.145 in via ng0
Nov 23 23:18:42 home kernel: ipfw: 7 Count ICMP:0.0 213.180.204.8 91.124.239.145 in via ng0
Nov 23 23:18:42 home kernel: ipfw: 10 Count ICMP:0.0 213.180.204.8 91.124.239.145 in via ng0
Nov 23 23:18:42 home kernel: ipfw: 4 SkipTo 5 ICMP:0.0 213.180.204.8 192.168.9.4 out via ng1

Why in log do I see trafic for ng1 interface while rule 1 does not invoked?

>How-To-Repeat:

>Fix:


>Release-Note:
>Audit-Trail:
>Unformatted:

More information about the freebsd-bugs mailing list