ipfw dynamic tcp rule issue
Ian FREISLICH
if at hetzner.co.za
Tue Sep 7 08:08:14 PDT 2004
George S wrote:
> Hi Ian,
>
> Thanks for your response.
>
> Yes, the behaviour is exactly as I describe. What happens is that on its way
> back, the SYN+ACK packet with DST IP/PORT 10.0.0.2 and SRC IP/PORT
> 69.196.154.5/80 hits rule #1 where there is a keep-state. This causes ipfw
> to check all dynamic rules implicitly (as per the ipfw manpage).
>
> Since the SYN+ACK packet is part of a recently setup connection, there is a
> skipto to rule #10. Rule #10 does not match because there SRC/DST are not
> correct, so it then passes to rule #11, which does match (and its counters
> are updated).
>
> The problem is that the packet never finds itself on the fxp0 wire. I will
> give your check-state suggestion a try but I think the check-state is
> implicit within rule #1.
I thought you had to explicitly state the check-state. Anyway,
I've just noticed that your last rule is #65655 which is higher
than the max for an unsigned short. Depending how this overflow
is handled, you might get odd behaviour. This might just result
in the packet being denied by the default deny rule on the way out
of fxp0. Try adding a rule just before the default deny to log
matches. It's almost always useful to do this anyway when playing
with the ruleset until everything works.
I would have done the rules as follows:
ipfw add 00010 fwd 10.0.0.1 tcp from 10.0.0.2 to any in via fxp0
ipfw add 00020 fwd 192.168.1.1 tcp from any to 10.0.0.2 in via fxp1
ipfw add 65534 allow ip from any to any
Is there any particular reason for wanting a stateful firewall in
this case?
Ian
--
Ian Freislich
More information about the freebsd-ipfw
mailing list