IPFW2 denies packet although they match ALLOW rule?

Micael Ebbmar Sat, 09 Nov 2002 09:30:24 -0800

Excuse me if I'm posting to the wrong list, I thought at first that freebsd-ipfw 
should be
the correct one, but obviously only discussion about the redesign of IPFW should be 
discussed there.


Anyways, I hope someone can help me here..

A week ago, I made the transition from IPFW to IPFW2 (on my 4.7-Stable box), and I 
thought it would
be a good idea to rewrite my previous stateless rules to stateful.
After a few days I noticed in /var/log security that IPFW once in a while blocks 
outbound
packets to my pop servers and a webserver, which I've allowed in a previously rule 
(0310).
I still can pop my mail and browse the web without any problems, but I'm stil curious 
why it denies the packets. Can it be
that the stateful rule has expired and the interface is resending/receiving some old 
packets? If so, is that normal or an
indication of a broken NIC?
Or is any of the sysctl variables net.inet.ip.fw.* too short? (Haven't touched them 
yet)

Log snippet of /var/log/security:


Nov  8 00:25:42 grendel /kernel: ipfw: 1000 Deny TCP 213.64.x.x:1938 
207.174.189.161:80 out via ep1
Nov  8 00:26:12 grendel /kernel: ipfw: 1000 Deny TCP 213.64.x.x:1940 
207.174.189.161:80 out via ep1
Nov  8 00:26:12 grendel /kernel: ipfw: 1000 Deny TCP 213.64.x.x:1938 
207.174.189.161:80 out via ep1
Nov  8 00:26:14 grendel /kernel: ipfw: 1000 Deny TCP 213.64.x.x:1940 
207.174.189.161:80 out via ep1
Nov  8 00:26:18 grendel /kernel: ipfw: 1000 Deny TCP 213.64.x.x:1940 
207.174.189.161:80 out via ep1
Nov  8 00:26:26 grendel /kernel: ipfw: 1000 Deny TCP 213.64.x.x:1940 
207.174.189.161:80 out via ep1
Nov  8 00:26:27 grendel /kernel: ipfw: 1000 Deny TCP 213.64.x.x:1939 
207.174.189.161:80 out via ep1
Nov  8 00:26:29 grendel /kernel: ipfw: 1000 Deny TCP 213.64.x.x:1939 
207.174.189.161:80 out via ep1
Nov  8 00:26:33 grendel /kernel: ipfw: 1000 Deny TCP 213.64.x.x:1939 
207.174.189.161:80 out via ep1
Nov  8 00:26:41 grendel /kernel: ipfw: 1000 Deny TCP 213.64.x.x:1939 
207.174.189.161:80 out via ep1
Nov  8 00:26:42 grendel /kernel: ipfw: 1000 Deny TCP 213.64.x.x:1940 
207.174.189.161:80 out via ep1
Nov  8 00:26:45 grendel /kernel: ipfw: 1000 Deny TCP 213.64.x.x:1938 
207.174.189.161:80 out via ep1
Nov  8 00:26:57 grendel /kernel: ipfw: 1000 Deny TCP 213.64.x.x:1939 
207.174.189.161:80 out via ep1
Nov  8 00:27:15 grendel /kernel: ipfw: 1000 Deny TCP 213.64.x.x:1940 
207.174.189.161:80 out via ep1
Nov  8 00:27:30 grendel /kernel: ipfw: 1000 Deny TCP 213.64.x.x:1939 
207.174.189.161:80 out via ep1
Nov  8 00:27:49 grendel /kernel: ipfw: 1000 Deny TCP 213.64.x.x:1938 
207.174.189.161:80 out via ep1
...
Nov  8 16:47:10 grendel /kernel: ipfw: 1000 Deny TCP 213.64.x.x:2529 66.54.152.7:110 
out via ep1
Nov  8 16:47:31 grendel /kernel: ipfw: 1000 Deny TCP 213.64.x.x:2529 66.54.152.7:110 
out via ep1
Nov  8 16:48:14 grendel /kernel: ipfw: 1000 Deny TCP 213.64.x.x:2529 66.54.152.7:110 
out via ep1
Nov  8 16:49:18 grendel /kernel: ipfw: 1000 Deny TCP 213.64.x.x:2529 66.54.152.7:110 
out via ep1
Nov  8 16:50:22 grendel /kernel: ipfw: 1000 Deny TCP 213.64.x.x:2529 66.54.152.7:110 
out via ep1
Nov  8 16:51:26 grendel /kernel: ipfw: 1000 Deny TCP 213.64.x.x:2529 66.54.152.7:110 
out via ep1
Nov  8 16:52:30 grendel /kernel: ipfw: 1000 Deny TCP 213.64.x.x:2529 66.54.152.7:110 
out via ep1
Nov  8 16:53:34 grendel /kernel: ipfw: 1000 Deny TCP 213.64.x.x:2529 66.54.152.7:110 
out via ep1
Nov  8 16:54:38 grendel /kernel: ipfw: 1000 Deny TCP 213.64.x.x:2529 66.54.152.7:110 
out via ep1
Nov  8 16:55:42 grendel /kernel: ipfw: 1000 Deny TCP 213.64.x.x:2529 66.54.152.7:110 
out via ep1
Nov  8 16:56:46 grendel /kernel: ipfw: 1000 Deny TCP 213.64.x.x:2529 66.54.152.7:110 
out via ep1
Nov  8 16:57:50 grendel /kernel: ipfw: 1000 Deny TCP 213.64.x.x:2529 66.54.152.7:110 
out via ep1
Nov  8 16:58:54 grendel /kernel: ipfw: 1000 Deny TCP 213.64.x.x:2529 66.54.152.7:110 
out via ep1

And my rules look like this:

# Identd
add 0200 reset log tcp from any to any 113

# Only allow outbound TCP connections I have created
add 0300 check-state

# Deny packets with ACK flag set which doesn't match the above rule
add 0305 deny tcp from any to any in established

# Allow all outgoing setup TCP connections (SYN)
add 0310 allow tcp from any to any out setup keep-state

# Allow login on ISP
add 0350 allow tcp from me to 10.0.0.6 80 setup keep-state

# Allow DNS
add 0400 allow udp from me to 10.0.0/24{1,2} 53 keep-state out xmit ep1

# Allow DHCP offers and requests
add 0500 allow udp from me 68 to 213.64.75.1 keep-state out via ep1

# Allow ntpd to lth.se and ntp1.sp.se
add 0600 allow ip from me 123 to 130.235.20.3 keep-state out via ep1

# Allow some ICMP types (dest. unreachable, source quench,
# echo reply/request, time exceed)
add 0650 allow icmp from any to any icmptypes 3,4
add 0655 allow icmp from any to any icmptypes 8 out
add 0660 allow icmp from any to any icmptypes 0,11 in

# Allow access to my webserver from school
add 0700 allow tcp from 193.10.0.0/16 to me 80 setup keep-state in via ep1

# Allow ssh access from school
add 0750 allow tcp from 193.10.0.0/16 to me 22 setup keep-state in via ep1

# Deny and log the rest
add 1000 deny log logamount 1000 ip from any to any via ep1


As long as it's working fine, I really shouldn't bother, but I'm curious about it, and 
it's a real logfiller..

Cheers,
Micke

To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-questions" in the body of the message

IPFW2 denies packet although they match ALLOW rule?

Reply via email to