ipfw tcp/udp dropping - why ?

Robert Usle robertus.n at gmail.com
Tue Jun 5 21:59:54 UTC 2007 

Hello,

I'm not sure if my ruleset is correct, but I've noticed a strange
ruleset behavior.

OS: FreeBSD 4.11-STABLE #7:

Here's my ruleset.

desc:
table 5 ip+bw for download
table 6 ip+bw for upload ($ip,$bw)
table 1 (ip, hosts allowed to use internet)

NAT via IPNAT + patch for ipnat/ipfw order
-------------
## sysctls
sysctl -w net.inet.ip.fw.one_pass=0
sysctl -w net.inet.ip.fw.dyn_max=10000

# Flush rules
##############
${fwcmd} -fq flush
${fwcmd} -f pipe flush
${fwcmd} -f queue flush
${fwcmd} zero
${fwcmd} table 1 flush
${fwcmd} table 5 flush
${fwcmd} table 6 flush

myip="x.x.x.x"
int_if1="rl0"
int_if2="rl1"
ext_if1="xl0"

trusted="x.x.x.y,z.z.z.z"

up_conn_limit=20
down_conn_limit=20

goodtcptoports="22,21,25,80,110,443,3389,3306,8074,995,993,567"

## trusted hosts
${fwcmd} add 20 allow ip from $trusted to me
${fwcmd} add 20 allow ip from me to $trusted

# me -> outside PASS
${fwcmd} add 30 allow tcp from me to any out setup keep-state
${fwcmd} add 30 allow udp from me to any out keep-state

${fwcmd} add 100 set 1 allow ip from any to any via lo0
${fwcmd} add 110 set 1 deny ip from any to 127.0.0.0/8
${fwcmd} add 120 set 1 deny ip from 127.0.0.0/8 to any

# netbios BLOCK
${fwcmd} add 130 deny ip from any to any 137-139
# icmp
${fwcmd} add 140 allow icmp from any to any

${fwcmd} add 150 allow ip from any to any via $int_if1
${fwcmd} add 150 allow ip from any to any via $int_if2

# SNORT p2p (table 1 = hosts allowed for internet usage)
${fwcmd} add 160 divert 8000 ip from table\(1\) to any
${fwcmd} add 161 divert 8000 ip from any to table\(1\)

# these are pipes with mask src-addr 0xffffffff ipfw table($ip,$bw)
${fwcmd} add 10001 pipe 11 ip from any to table\(5,2048\) in recv $ext_if1
${fwcmd} add 10002 pipe 13 ip from any to table\(5,256\) in recv $ext_if1
${fwcmd} add 10003 pipe 15 ip from any to table\(5,512\) in recv $ext_if1
${fwcmd} add 10004 pipe 18 ip from any to table\(5,128\) in recv $ext_if1
${fwcmd} add 10005 pipe 19 ip from any to table\(5,1024\) in recv $ext_if1
${fwcmd} add 10006 pipe 12 ip from table\(6,2048\) to any out xmit $ext_if1
${fwcmd} add 10007 pipe 14 ip from table\(6,256\) to any out xmit $ext_if1
${fwcmd} add 10008 pipe 16 ip from table\(6,512\) to any out xmit $ext_if1
${fwcmd} add 10009 pipe 17 ip from table\(6,128\) to any out xmit $ext_if1
${fwcmd} add 10010 pipe 20 ip from table\(6,1024\) to any out xmit $ext_if1

${fwcmd} add 45000 check-state

${fwcmd} add 45100 allow tcp from table\(1\) to any not
$goodtcptoports out xmit $ext_if1 setup limit src-addr $up_conn_limit
${fwcmd} add 45200 allow udp from table\(1\) to any out xmit $ext_if1
limit src-addr  $up_conn_limit
${fwcmd} add 45300 allow tcp from table\(1\) to any out xmit $ext_if1
setup keep-state
${fwcmd} add 45400 allow udp from table\(1\) to any out xmit xl0 keep-state

# outside -> me PASS
${fwcmd} add 64000 allow tcp from any to me 80,443,22 setup keep-state

# outside -> LAN hosts PASS
${fwcmd} add 64100 allow tcp from any to 10.0.5.36 3389 setup keep-state


${fwcmd} add 65000 deny log logamount 10000000 ip from any to any

-------- ENDRULES --------------

Thought I see http working I notice in ipfw logs in rule 65000:

Jun  5 23:28:28 wall /kernel: ipfw: 65000 Deny TCP 10.0.6.70:3182
38.99.77.44:80 out via xl0
Jun  5 23:28:28 wall /kernel: ipfw: 65000 Deny TCP 10.0.6.70:3180
38.99.77.44:80 out via xl0
Jun  5 23:28:28 wall /kernel: ipfw: 65000 Deny TCP 10.0.6.62:2259
62.129.240.58:80 out via xl0
Jun  5 23:28:28 wall /kernel: ipfw: 65000 Deny TCP 10.0.6.70:3204
85.25.133.18:80 out via xl0
Jun  5 23:28:28 wall /kernel: ipfw: 65000 Deny TCP 10.0.6.70:3171
209.172.60.89:80 out via xl0
Jun  5 23:28:28 wall /kernel: ipfw: 65000 Deny TCP 10.0.6.70:3079
207.44.164.103:80 out via xl0
Jun  5 23:28:28 wall /kernel: ipfw: 65000 Deny TCP 10.0.6.70:3080
207.44.164.103:80 out via xl0
Jun  5 23:28:28 wall /kernel: ipfw: 65000 Deny TCP 10.0.0.91:1353
213.180.131.42:80 out via xl0
Jun  5 23:28:28 wall /kernel: ipfw: 65000 Deny TCP 10.0.6.70:3203
85.25.133.18:80 out via xl0
Jun  5 23:28:28 wall /kernel: ipfw: 65000 Deny TCP 10.0.6.70:3202
85.25.133.18:80 out via xl0

....

Shouldn't this be handled by:
${fwcmd} add 45300 allow tcp from table\(1\) to any out xmit $ext_if1
setup keep-state ?

Thanks,

-- 
Robert

More information about the freebsd-ipfw mailing list