Please wrap your posts (everything except for computer output), below 70-80 columns. It's very hard to read otherwise :-/
Micael Ebbmar <[EMAIL PROTECTED]> wrote: : Excuse me if I'm posting to the wrong list, I thought at first that : freebsd-ipfw should be the correct one, but obviously only : discussion about the redesign of IPFW should be discussed there. True. : A week ago, I made the transition from IPFW to IPFW2 (on my : 4.7-Stable box), and I thought it would be a good idea to rewrite my : previous stateless rules to stateful. After a few days I noticed in : /var/log security that IPFW once in a while blocks outbound packets : to my pop servers and a webserver, which I've allowed in a previously : rule (0310). I still can pop my mail and browse the web without any : problems, but I'm stil curious why it denies the packets. Can it be : that the stateful rule has expired and the interface is : resending/receiving some old packets? If so, is that normal or an : indication of a broken NIC? Or is any of the sysctl variables : net.inet.ip.fw.* too short? (Haven't touched them yet) Web clients some times cache connections to web servers, hoping to save some time from avoiding a reconnect for every GET request. Could it be that your clients thinks that a cached connection is still valid long after the dynamic ipfw rule has expired? : Log snippet of /var/log/security: : : Nov 8 00:25:42 grendel /kernel: ipfw: 1000 Deny TCP 213.64.x.x:1938 :207.174.189.161:80 out via ep1 : Nov 8 00:26:12 grendel /kernel: ipfw: 1000 Deny TCP 213.64.x.x:1940 :207.174.189.161:80 out via ep1 : Nov 8 00:26:12 grendel /kernel: ipfw: 1000 Deny TCP 213.64.x.x:1938 :207.174.189.161:80 out via ep1 : [...] : And my rules look like this: : : add 0200 reset log tcp from any to any 113 : add 0300 check-state : add 0305 deny tcp from any to any in established : add 0310 allow tcp from any to any out setup keep-state : [...] : add 0350 allow tcp from me to 10.0.0.6 80 setup keep-state Doesn't rule 0310 make rule 0350 redundant? : add 1000 deny log logamount 1000 ip from any to any via ep1 To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-questions" in the body of the message
