IPFW Problems

Drew Tomlinson drew at mykitchentable.net
Thu Apr 20 00:28:27 UTC 2006

On 4/17/2006 2:29 PM Noah Silverman wrote:
> Hi,
> I have a system with a 4.11 Kernel.  Unless I'm doing something very 
> wrong, there seems to be something odd with ipfw.
> Take the following rules:
I assume above this you have "ipfw add check-state" defined?  This is 
the rule that's required to get ipfw to check its dynamic rule set.  
Without it, "keep-state" rules will never work.
> ipfw add 00280 allow tcp from any to any 22 out via bge0 setup keep-state
> ipfw add 00299 deny log all from any to any out via bge0
> ipfw add 0430 allow log tcp from any to me 22 in via bge0 setup limit 
> src-addr 2
I think this line is your problem.  "setup" matches the initial packet 
with the syn flag set.  However since you have not added "keep-state", 
no rule gets added to the dynamic rule set for this connection.  
Subsequent packets don't match because "syn" is not set.  Thus they hit 
rule 499 and are denied.
> ipfw add 00499 deny log all from any to any in via bge0
> In theory, this should allow in SSH and nothing else.
> When I install this firewall configuration, I'm locked out of the 
> box.  An inspection of the logs shows that rule 499 is being triggered 
> by an attempted incoming connection.
> Can anybody help?
> Also, would it be better to upgrade to ipfw2??  If so, how do I do that.

Add 'ipfw2=TRUE' to /etc/make.conf.  Then the next time you build world 
and kernel, you'll have ipfw2.  There's probably a way to just recompile 
the ipfw part but I've always just done the whole thing.



Visit The Alchemist's Warehouse
Magic Tricks, DVDs, Videos, Books, & More!


More information about the freebsd-questions mailing list