continued IPFW issues... (actually a lack of ability on my part)
Eric F Crist
ecrist at adtechintegrated.com
Sat Feb 14 16:22:31 PST 2004
From: Jez Hancock [mailto:munk at munk.nu] On Behalf Of Jez Hancock
Sent: Saturday, February 14, 2004 5:36 PM
To: Eric F Crist
Cc: FreeBSD questions List
Subject: Re: continued IPFW issues... (actually a lack of ability on my
On Sat, Feb 14, 2004 at 03:27:35PM -0600, Eric F Crist wrote:
> I'm still having some sort of issues with ipfw rules on my server.
> I've got a
> cgi based irc client installed, and I can't connect. Also, it seems
as if my
> DNS server isn't able to send queries out. An ipfw show displays the
> following for me:
> 00050 54632 4640473 allow ip from me to any
> 00100 0 0 allow ip from any to any via lo0
> 00200 0 0 deny ip from any to 127.0.0.0/8
> 00300 0 0 deny ip from 127.0.0.0/8 to any
> 00400 4027 351563 allow ip from 22.214.171.124/29 to me
> 00500 2 80 allow ip from any to me dst-port 22
> 00600 2 80 allow ip from any to me dst-port 21
> 00700 388 25405 allow ip from any to me dst-port 25
> 00800 58 4944 allow ip from any to me dst-port 80
> 00900 2 80 allow ip from any to me dst-port 443
> 01000 2 80 allow ip from any to me dst-port 110
> 01100 54 4247 allow ip from any to me dst-port 53
> 01200 2 80 allow ip from any to me dst-port 6667
> 01300 2 80 allow ip from any to me dst-port 6668
> 01400 4 160 deny ip from not 126.96.36.199/29 to me dst-port
> 65535 46432 7224466 deny ip from any to any
> Where is all that denied traffic coming from on the final rule?
You are only allowing traffic in and not out - as Matthew Seaman
mentioned in the last post in your previous thread, you should use
'keep-state' to keep track of the connections made to you. See the
examples he provided in that thread.
>From the manpage for ipfw:
Checks the packet against the dynamic ruleset. If a match
found, execute the action associated with the rule which
ated this dynamic rule, otherwise move to the next rule.
Check-state rules do not have a body. If no check-state
found, the dynamic ruleset is checked at the first
Upon a match, the firewall will create a dynamic rule,
default behaviour is to match bidirectional traffic between
source and destination IP/port using the same protocol.
has a limited lifetime (controlled by a set of sysctl(8)
ables), and the lifetime is refreshed every time a matching
packet is found.
When a connection is made to port 80 from an external host, with the
'keep-state' flag set on your rule for port 80 data transfer will be
allowed in both directions to/from the external host to/from you on port
80 for a limited period. The check-state rule effectively 'shortcuts'
the rest of the rules in the ruleset if a match is made for the external
host for the given action (inbound connections to port 80 in this case).
You'd need to do the same for each of the other ports you want to allow
free connections to/from.
Wouldn't my first rule:
ipfw allow ip from me to any
have fixed this problem?
Eric F Crist
AdTech Integrated Systems, Inc
More information about the freebsd-questions