ipfw dynamic tcp rule issue
George S
c0sine at yahoo.com
Tue Sep 7 05:36:01 PDT 2004
Hi Ian,
Thanks for your response.
Yes, the behaviour is exactly as I describe. What happens is that on its way
back, the SYN+ACK packet with DST IP/PORT 10.0.0.2 and SRC IP/PORT
69.196.154.5/80 hits rule #1 where there is a keep-state. This causes ipfw
to check all dynamic rules implicitly (as per the ipfw manpage).
Since the SYN+ACK packet is part of a recently setup connection, there is a
skipto to rule #10. Rule #10 does not match because there SRC/DST are not
correct, so it then passes to rule #11, which does match (and its counters
are updated).
The problem is that the packet never finds itself on the fxp0 wire. I will
give your check-state suggestion a try but I think the check-state is
implicit within rule #1.
Kindest regards,
George
--- Ian FREISLICH <if at hetzner.co.za> wrote:
> George S wrote:
> > Hello all,
> >
> > I've been having some trouble with this strange ipfw configuration and I
> am
> > pretty sure it is probably a bug. I posted a note to freebsd-ipfw a
> little
> > while ago, but I think the problem is better demonstrated with a figure.
> http://www.geocities.com/c0sine/fbsdipfw.gif
> Are you sure that you perormed the test you described and the results
> (count updated etc) actually occured? I would expect rule 9 to
> catch the packet on its way back and rule 11 never to be triggered.
>
> Maybe rule 9 should be a checkstate rule.
>
> Ian
>
> --
> Ian Freislich
>
_______________________________
Do you Yahoo!?
Express yourself with Y! Messenger! Free. Download now.
http://messenger.yahoo.com
More information about the freebsd-ipfw
mailing list