Trouble with IPFW or TCP?

[Erik Trulsson]

On Fri, Apr 04, 2008 at 01:34:07AM +0200, Ivan Voras wrote:
> In which case would an ipfw ruleset like this:
> 
> 00100 114872026  40487887607 allow ip from any to any via lo0
> 00200         0            0 deny ip from any to 127.0.0.0/8
> 00300         0            0 deny ip from 127.0.0.0/8 to any
> 00600      1585       112576 deny ip from table(0) to me
> 01000     90279      7325972 allow icmp from any to any
> 05000 475961039 334422494257 allow tcp from me to any setup keep-state
> 05100    634155     65779377 allow udp from me to any keep-state
> 06022    409604     69177326 allow tcp from any to me dst-port 22 setup 
> keep-state
> 06080  52159025  43182548092 allow tcp from any to me dst-port 80 setup 
> keep-state
> 06443   6392366   2043532158 allow tcp from any to me dst-port 443 setup 
> keep-state
> 07020    517065    292377553 allow tcp from any to me dst-port 8080 setup 
> keep-state
> 65400  12273387    629703212 deny log ip from any to any
> 65535         0            0 deny ip from any to any

If you are using 'keep-state' should there not also be some rule containing
'check-state' ?


> 
> Generate syslog messages like these:
> 
> Apr  4 01:02:06 my.ip kernel: ipfw: 65400 Deny TCP xx.xx.xx.xx:60725 
> my.ip.my.ip:443 in via em0
> Apr  4 01:02:06 my.ip kernel: ipfw: 65400 Deny TCP xx.xx.xx.xx:57387 
> my.ip.my.ip:443 in via em0
> Apr  4 01:02:06 my.ip kernel: ipfw: 65400 Deny TCP xx.xx.xx.xx:57387 

[snip]


-- 
<Insert your favourite quote here.>
Erik Trulsson
ertr1013 at student.uu.se