Trouble with IPFW or TCP?

Julian Elischer julian at elischer.org
Fri Apr 4 04:41:35 UTC 2008 

Ian Smith wrote:
> On Thu, 3 Apr 2008, Julian Elischer wrote:
>  > Ivan Voras wrote:
>  > > Erik Trulsson wrote:
>  > >> On Fri, Apr 04, 2008 at 01:34:07AM +0200, Ivan Voras wrote:
>  > >>> In which case would an ipfw ruleset like this:
>  > >>>
>  > >>> 00100 114872026  40487887607 allow ip from any to any via lo0
>  > >>> 00200         0            0 deny ip from any to 127.0.0.0/8
>  > >>> 00300         0            0 deny ip from 127.0.0.0/8 to any
>  > >>> 00600      1585       112576 deny ip from table(0) to me
>  > >>> 01000     90279      7325972 allow icmp from any to any
>  > >>> 05000 475961039 334422494257 allow tcp from me to any setup keep-state
>  > >>> 05100    634155     65779377 allow udp from me to any keep-state
>  > >>> 06022    409604     69177326 allow tcp from any to me dst-port 22 
>  > >>> setup keep-state
>  > >>> 06080  52159025  43182548092 allow tcp from any to me dst-port 80 
>  > >>> setup keep-state
>  > >>> 06443   6392366   2043532158 allow tcp from any to me dst-port 443 
>  > >>> setup keep-state
>  > >>> 07020    517065    292377553 allow tcp from any to me dst-port 8080 
>  > >>> setup keep-state
>  > >>> 65400  12273387    629703212 deny log ip from any to any
>  > >>> 65535         0            0 deny ip from any to any
>  > >>
>  > >> If you are using 'keep-state' should there not also be some rule 
>  > >> containing
>  > >> 'check-state' ?
>  > > 
>  > > Not according to the ipfw(8) manual:
>  > > 
>  > > """
>  > >      These dynamic rules, which have a limited lifetime, are checked at the
>  > >      first occurrence of a check-state, keep-state or limit rule, and 
>  > > are typ-
>  > >      ically used to open the firewall on-demand to legitimate traffic only.
>  > >      See the STATEFUL FIREWALL and EXAMPLES Sections below for more 
>  > > informa-
>  > >      tion on the stateful behaviour of ipfw.
>  > > """
>  > > 
>  > > I read this to mean the dynamic rules are checked at rule #5000 from the 
>  > > above list. Is there an advantage to having an explicit check-state rule 
>  > > in simple rulesets like this one?
>  > 
>  > the docs are wrong then I think.
> 
> If so, they've been wrong since 4.something .. certainly before 4.8. 
> It's hard to imagine nobody else has ever relied on that doc behaviour,
> so perhaps the docs, if wrong, have become so at some more recent time?

Not that I have known... keep-state does not (and never has) include
an implicit check-state.
I think the document is talking about the  lifetime.
Each time a keep-state or check-state or limit is hit,
the TTL is kicked.


> 
> I guess the simple way to find out is for Ivan to add a check-state
> somewhere before the first keep-state, affecting all new connections.
> 
> If that doesn't fix the problem, then it looks like the denied packets
> really are coming in from non-established sessions, as they would appear
> on the surface - if it wasn't known that the sources should be good!
> 
> No chance net.inet.ip.fw.dyn_count is hitting net.inet.ip.fw.dyn_max ?
> 
> cheers, Ian
> 
> _______________________________________________
> freebsd-net at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-net
> To unsubscribe, send any mail to "freebsd-net-unsubscribe at freebsd.org"

More information about the freebsd-net mailing list