continued IPFW issues... (actually a lack of ability on my part)

Jez Hancock jez.hancock at
Sat Feb 14 15:36:18 PST 2004

On Sat, Feb 14, 2004 at 03:27:35PM -0600, Eric F Crist wrote:
> I'm still having some sort of issues with ipfw rules on my server.  I've got a 
> cgi based irc client installed, and I can't connect.  Also, it seems as if my 
> DNS server isn't able to send queries out.  An ipfw show displays the 
> following for me:
> 00050 54632 4640473 allow ip from me to any
> 00100     0       0 allow ip from any to any via lo0
> 00200     0       0 deny ip from any to
> 00300     0       0 deny ip from to any
> 00400  4027  351563 allow ip from to me
> 00500     2      80 allow ip from any to me dst-port 22
> 00600     2      80 allow ip from any to me dst-port 21
> 00700   388   25405 allow ip from any to me dst-port 25
> 00800    58    4944 allow ip from any to me dst-port 80
> 00900     2      80 allow ip from any to me dst-port 443
> 01000     2      80 allow ip from any to me dst-port 110
> 01100    54    4247 allow ip from any to me dst-port 53
> 01200     2      80 allow ip from any to me dst-port 6667
> 01300     2      80 allow ip from any to me dst-port 6668
> 01400     4     160 deny ip from not to me dst-port 8080
> 65535 46432 7224466 deny ip from any to any
> Where is all that denied traffic coming from on the final rule?

You are only allowing traffic in and not out - as Matthew Seaman
mentioned in the last post in your previous thread, you should use
'keep-state' to keep track of the connections made to you.  See the
examples he provided in that thread.

>From the manpage for ipfw:

	     Checks the packet against the dynamic ruleset.  If a match is
	     found, execute the action associated with the rule which gener-
	     ated this dynamic rule, otherwise move to the next rule.
	     Check-state rules do not have a body.  If no check-state rule is
	     found, the dynamic ruleset is checked at the first keep-state or
	     limit rule.


	     Upon a match, the firewall will create a dynamic rule, whose
	     default behaviour is to match bidirectional traffic between
	     source and destination IP/port using the same protocol.  The rule
	     has a limited lifetime (controlled by a set of sysctl(8) vari-
	     ables), and the lifetime is refreshed every time a matching
	     packet is found.

When a connection is made to port 80 from an external host, with the
'keep-state' flag set on your rule for port 80 data transfer will be
allowed in both directions to/from the external host to/from you on port
80 for a limited period.  The check-state rule effectively 'shortcuts'
the rest of the rules in the ruleset if a match is made for the external
host for the given action (inbound connections to port 80 in this case).

You'd need to do the same for each of the other ports you want to allow
free connections to/from.

Jez Hancock
 - System Administrator / PHP Developer  - Another FreeBSD Diary        - ipfw peruser traffic logging

More information about the freebsd-questions mailing list