Re: ipfw2+divert; why divert rule is ignored?
On 3/10/06, Vladimir [EMAIL PROTECTED] wrote: FreeBSD 5.4 Specifically, I can't figure out why rule 3800 is ignored... :confused: ipfw не такой злобный, чтобы брать и игнорить правила :) Попробуй добавить правило count сразу до или после игнорируемого правила. Скорей всего таких пакетов просто нет (например, глюк маршрутизации). ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: ipfw2 NAT/forwarding config for bittorrent
Kenneth W Cochran wrote: How do I configure ipfw2 for properly forwarding the bittorrent ports (6881-6889) to the destination machine? Log_in_vain is natd(8) -redirect_port ipfw will just forward the packet where as natd will rewrite it ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: ipfw2 - too many dynamic rules
Stec John wrote: I need some help with ipfw2 on my squid box I have too many dynamic rules errors for dns Can I insert a dns static rule into my rules (as below) and how? [ ... ] # allow DNS,NTP queries out in the world add pass udp from any 1024-65535 to any 53,123 add pass udp from any 53,123 to any 1024-65535 add pass udp from any 53,123 to any 53,123 add pass tcp from me to any 53 setup keep-state Note that you probably want to use the combination of setup keep-state elsewhere in your rules, too. -- -Chuck ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: ipfw2 - too many dynamic rules
Stec John wrote: Hi Chuck, are you suggesting to add these dns rules on top of the existing rules? Yes. Can I use allow instead of pass? Yes, they mean the same thing: allow Allow packets that match rule. The search terminates. Aliases are pass, permit and accept. -- -Chuck ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: ipfw2 - too many dynamic rules
Hi Chuck, are you suggesting to add these dns rules on top of the existing rules? Can I use allow instead of pass? - Original Message - From: Chuck Swiger [EMAIL PROTECTED] To: Stec John [EMAIL PROTECTED] Cc: freebsd-questions@freebsd.org Sent: Tuesday, October 18, 2005 12:31 PM Subject: Re: ipfw2 - too many dynamic rules Stec John wrote: I need some help with ipfw2 on my squid box I have too many dynamic rules errors for dns Can I insert a dns static rule into my rules (as below) and how? [ ... ] # allow DNS,NTP queries out in the world add pass udp from any 1024-65535 to any 53,123 add pass udp from any 53,123 to any 1024-65535 add pass udp from any 53,123 to any 53,123 add pass tcp from me to any 53 setup keep-state Note that you probably want to use the combination of setup keep-state elsewhere in your rules, too. -- -Chuck ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: ipfw2 and clearing a rules state table records
On 7/1/05, fbsd_user [EMAIL PROTECTED] wrote: Is there a way in 5.4 ipfw2 to reset/delete/clear a stateful rule's records in the state table? Never tried this myself, but probably by temporarily lowering net.inet.ip.fw.dyn_*_lifetime? -- Dmitry We live less by imagination than despite it - Rockwell Kent, N by E ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: ipfw2 filtering on bridge
Ben wrote: I'm sorry, I can't send this to the list because my messages to the list bounce because reverse DNS isn't set up. No worries, thanks a lot for answering. This is funny, I just set this up for the first time yesterday except I set everything up to have no IP addresses so that the firewall would be invisible to anyone. I think I see what is wrong with your setup... You've got to change net.link.ether.bridge_ipfw=1 to net.link.ether.bridge.ipfw=1 in /etc/sysctl.conf. The handbook (http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/network-bridging.html) says that net.link.ether.bridge_ipfw=1 was updated in 5.2-RELEASE. net.link.ether.bridge.enable=1 net.link.ether.bridge.config=fxp0,fxp1 net.link.ether.bridge_ipfw=1 # sysctl net.link.ether.bridge.ipfw=1 net.link.ether.bridge.ipfw: 1 - 1 # # ipfw add deny icmp from any to any 00100 deny icmp from any to any # # ipfw show 00100 0 0 deny icmp from any to any 65535 931748 651891769 allow ip from any to any # PING EXT_IP_BEHIND_BRIDGE: 56 data bytes 64 bytes from EXT_IP_BEHIND_BRIDGE: icmp_seq=0 ttl=233 time=74.399 ms 64 bytes from EXT_IP_BEHIND_BRIDGE: icmp_seq=1 ttl=233 time=106.194 ms Seems not to be working :( Yours, -- Alin-Adrian Anton GPG keyID 0x183087BA (B129 E8F4 7B34 15A9 0785 2F7C 5823 ABA0 1830 87BA) gpg --keyserver pgp.mit.edu --recv-keys 0x183087BA It is dangerous to be right when the government is wrong. - Voltaire ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: IPFW2 verrevpath versrcreach antispoof
I hope I am sending this post to the right mailing list !!! On Mon, 28 Feb 2005 07:06:58 +0200, abu khaled [EMAIL PROTECTED] wrote: Greetings... I recently build world and kernel with ipfw support. Can someone provide examples on how to use these options (verrevpath, versrcreach and antispoof). What can they be used for and can't! and how to use them (proper syntax). Execuse my poor english! I am knew to FreeBSD and UNIX / LINUX. however thanks to searching the mailling lists I managed to setup a FreeBSD box. I use it as a router with squid as a transparent proxy and Bind forwarding DNS. FreeBSD *.*5.4-PRERELEASE FreeBSD 5.4-PRERELEASE #0: Sat Feb 26 07:19:15 IST 2005 [EMAIL PROTECTED]:/usr/obj/usr/src/sys/XNET530 i386 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: ipfw2 and preproc
[EMAIL PROTECTED] wrote: I have read the man page for ipfw and searched the web looking for examples of using ipfw2 and the preprocessor option. Does anybody have any examples? Try somthing like the following in /etc/rc.conf: #firewall_type='/etc/MY_firewall' #firewall_flags='-p /usr/bin/cpp' ...and create /etc/MY_firewall containing: # set these to your inside interface network and netmask and ip #define IIF sis0 #define INET 192.168.1.0/24 #define IIP 192.168.1.2 # port number ranges #define LOPORTS 1-1023 #define HIPORTS 1024-65535 # dynamic rules add check-state add allow tcp from any HIPORTS to INET 22,80,143,443,3128 setup keep-state add allow ip from INET to any keep-state add 65000 deny log ip from any to any -- -Chuck ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: IPFW2
Doloonkhuch wrote: Dear sir, Now I'm using FreeBSD 5.2.1 release but now I can't compile new kernel with IPFIREWALL_FORWARD option. Please tell me port forwarding work or not work on FreeBSD 5.2.1 release. I think maybe IPFIREWALL options already included. Best regards Doloonkhuch.A There is no need for the IPFIREWALL_FORWARD option; this functionality is built in and has been for a long time. Refer to: http://lists.freebsd.org/pipermail/freebsd-current/2003-November/014599.html HTH, Kevin Kinsey ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: ipfw2 or ipfilter
On Mon, Aug 16, 2004 at 06:46:23PM +0200, Stefan Cars wrote: I'm looking into if I should go with ipfw2 or ipfilter, anyone that could point me to some links or tell me pro's and con's (both feature and performance wise). Unless your running quite a complicated setup or have specific requirements then there isn't really any preference for one over the other. If you're running a typical home system, even with say, a 10Mbit/s cable modem connection, any reasonably modern FreeBSD machine is going to be able to do firewall filtering without breaking into a sweat. You'ld need so quite fancy hardware to detect performance differences between the two. Probably the biggest reason to choose one over the other is simple personal preference between the different rule-set styles. ipfw is 'first match wins' (hence rule sets tend to be ordered from most to least specific). ipfilter is 'last match wins', so the most general rules tend to go at the top of rulesets -- although there are special 'quick' rules that can shortcut the process. In general both firewalls have very similar functionality. ipfw(8) can act as a filtering bridge and it can provide weighted fair queuing and bandwidth limited pipes in conjunction with dummynet(4). ipfilter seems to have more complete IPv6 support than ip6fw. Cheers, Matthew -- Dr Matthew J Seaman MA, D.Phil. 26 The Paddocks Savill Way PGP: http://www.infracaninophile.co.uk/pgpkey Marlow Tel: +44 1628 476614 Bucks., SL7 1TH UK pgpqIxTh2d78B.pgp Description: PGP signature
Re: [from newbies] RE: IPFW2 + 4.10
Matt, IPFW2 is not compiled into 4.10 by default. At a shell, type man ipfw, then a single forward slash (to bring up the search tool), then search for STABLE a couple of times directions are in there Here it is anyway USING IPFW2 IN FreeBSD-STABLE ipfw2 is standard in FreeBSD CURRENT, whereas FreeBSD STABLE still uses ipfw1 unless the kernel is compiled with options IPFW2, and /sbin/ipfw and /usr/lib/libalias are recompiled with -DIPFW2 and reinstalled (the same effect can be achieved by adding IPFW2=TRUE to /etc/make.conf before a buildworld). Hope that helps, Matt clayton rollins wrote: On June 28, 2004, Matt [EMAIL PROTECTED] wrote: Hello freebsd-newbies, I am still fairly new at the BSD level, migrated from linux. The question that I have is, is Version 4.10 kernel compiled with IPFW2, I know the doc's say that CURRENT version has and that it was implemented in 2002, yet the doc's say that STABLE does not have it compiled into the kernel. Can some one please clarify -- Best regards, Matt mailto:[EMAIL PROTECTED] Hi Matt, (Can't reply on -newbies, it's a list charter thing :).) 4.x versions come from the STABLE branch and, so, do not have ipfw2 compiled in the kernel by default. (Instead, they use the older, and more tested, ipfw.) If you want ipfw2, refer to 'man 8 ipfw', the section using ipfw2 on freebsd-stable, for very good instructions. Regards, Clayton _ FREE pop-up blocking with the new MSN Toolbar get it now! http://toolbar.msn.click-url.com/go/onm00200415ave/direct/01/ ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] !DSPAM:40df08f8545962012013677! ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
[from newbies] RE: IPFW2 + 4.10
On June 28, 2004, Matt [EMAIL PROTECTED] wrote: Hello freebsd-newbies, I am still fairly new at the BSD level, migrated from linux. The question that I have is, is Version 4.10 kernel compiled with IPFW2, I know the doc's say that CURRENT version has and that it was implemented in 2002, yet the doc's say that STABLE does not have it compiled into the kernel. Can some one please clarify -- Best regards, Matt mailto:[EMAIL PROTECTED] Hi Matt, (Can't reply on -newbies, it's a list charter thing :).) 4.x versions come from the STABLE branch and, so, do not have ipfw2 compiled in the kernel by default. (Instead, they use the older, and more tested, ipfw.) If you want ipfw2, refer to 'man 8 ipfw', the section using ipfw2 on freebsd-stable, for very good instructions. Regards, Clayton _ FREE pop-up blocking with the new MSN Toolbar get it now! http://toolbar.msn.click-url.com/go/onm00200415ave/direct/01/ ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: IPFW2 Mac Address Filtering
On Tuesday 25 May 2004 17:57, Elijah A.Chancey wrote:
I've searched high and low, and have read many times that doing mac
address filtering with ipfw is possible.
I'm running 4.9, have recompiled the kernel with 'options ipfw2', and
have recompiled libalias ipfw with ipfw2 support.
I've read through the man pages, and I can't make this particular rule
work.
I need to block all IP packets EXCEPT for packets coming from specific
MAC addresses.
Can anyone give me an example of specifically how I should form this
rule?
Elijah Chancey
NetlinkIP Sysadmin
Don't forget to set sysctl net.link.ether.ipfw=1.
[...]
# eth0: MAC of firewall NIC
# eth1: MAC of NIC to allow
# eth_broadcast: broadcast address
eth0=00:04:00:00:00:01
eth1=00:04:00:00:00:02
eth_broadcast=ff:ff:ff:ff:ff:ff
${fwcmd} add pass MAC ${eth0} ${eth1}
${fwcmd} add pass MAC ${eth1} ${eth0}
${fwcmd} add pass MAC ${eth_broadcast} ${eth0}
${fwcmd} add pass MAC ${eth_broadcast} ${eth1}
[...]
regards
ch
--
Christian Hiris [EMAIL PROTECTED] | OpenPGP KeyID 0x941B6B0B
OpenPGP-Key at hkp://wwwkeys.eu.pgp.net and http://pgp.mit.edu
pgpxi3Pdngqfq.pgp
Description: signature
RE: ipfw2
From man ipfw
---
src and dst: {addr | { addr or ... }} [[not] ports]
addr: [not] {any | me | addr-list | addr-set}
addr-set: addr[/masklen]{list}
list: {num | num-num}[,list]
---
I think that it's right:
ipfw 1000 add permit all from 192.168.1.1/24{3,5,9} to any
but I see follwing:
ipfw: bad width ``243''
If I do:
ipfw 10005 add permit all from
192.168.1.3,192.168.1.5,192.168.1.9 to any
What are you trying to do/say?
192.168.1.1/24{3,5,9} translates to 192.168.1.1/243, 192.168.1.1/245 or
192.168.1.1/249.
All of which are illegal, /xx cannot exceed 32 in value (32 bits to a IPv4
internet address). Hence
the bad width error message.
-lee
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: ipfw2
On Tue, Dec 23, 2003 at 08:51:57AM -0500, Lee Dilkie wrote:
I think that it's right:
ipfw 1000 add permit all from 192.168.1.1/24{3,5,9} to any
but I see follwing:
ipfw: bad width ``243''
192.168.1.1/24{3,5,9} translates to 192.168.1.1/243, 192.168.1.1/245 or
192.168.1.1/249.
Uh, at least, not in ipfw2 rulesets it doesn't. Where it does expand
like that is in csh(1), bash(1), zsh(1) and similar shells (but not
sh(1)):
% echo 192.168.1.1/24{3,5,9}
192.168.1.1/243 192.168.1.1/245 192.168.1.1/249
Perhaps the original poster was typing the rules in at the command
prompt? In which case, simply use a few quote marks to stop the
shell interfering:
# ipfw add 1000 permit all from '192.168.1.1/24{3,5,9}'
Or load the rules out of a file.
Cheers,
Matthew
--
Dr Matthew J Seaman MA, D.Phil. 26 The Paddocks
Savill Way
PGP: http://www.infracaninophile.co.uk/pgpkey Marlow
Tel: +44 1628 476614 Bucks., SL7 1TH UK
pgp0.pgp
Description: PGP signature
Re: ipfw2/dummynet + ipfilter not working together ?
On Mon, Oct 06, 2003 at 11:20:20PM +0200, Artur Pydo wrote: So, my question is : Is there some incompatabilities between ipfw2/dummynet and IPFilter or maybe there is a bug somewhere ? I use ipf for filtering and ipfw2 for dummynet without a problem - sounds like a problem with the dummynet side if you have ipf running ok and ipfw2 with an allow all policy. -- Jez Hancock - System Administrator / PHP Developer http://munk.nu/ ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: IPFW2
[Redirected to -questions] On Mon, Sep 22, 2003 at 08:07:13PM +0200, Uwe Klann wrote: From the Log file IPFW:- Sep 22 00:24:13 muc /kernel: ipfw: 3300 Accept TCP 217.10.213.30:4418 217.9.121.209:21 in via fxp0 How can I extend on FreeBSD 4.8 (ipfw2) the log contens to see the tranfered data File and the amount of bytes went out? Thank you in advance for your help. It isn't ipfw's job to do this. Configure logging on your ftp daemon by reading the appropriate manual pages. If you need a logging ftp proxy for some other reason check the ports tree. BMS ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: ipfw2 dynamic rules not dying
Jason Morgan [EMAIL PROTECTED] writes: I have a problem with my dynamic IPFW2 rules - they aren't dying. The system has been up now for 14 days, with it acting as firewall to two systems inside. One of the systems inside is also running IPFW2, but is in an open state. Here is the ruleset I am running, I have made no changes to the kernel variables regulating packet time-out - oh, and I'm running 4.7. [ruleset] Currently, I have more than 180 dynamic rules active, most are attached to rule 00610. 180 rules seems to be excessive, and they don't seem to be timing out. Is my ruleset screwed up? Thanks Jason IPFW2 will attempt to test if a connection is still open, and if it is will keep the matching rule intact. Search for keepalive on the ipfw manpage. -- Dan Pelleg To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Re: IPFW2 setup
Kernel firewall settings: options IPFW2 options IPFIREWALL #Firewall options IPFIREWALL_VERBOSE #print info about dropped packets options IPFIREWALL_VERBOSE_LIMIT=10 #limit verbosity options IPV6FIREWALL options IPV6FIREWALL_VERBOSE options IPV6FIREWALL_VERBOSE_LIMIT=10 options IPDIVERT#Divert sockets options IPSTEALTH #support stealth forwarding options ICMP_BANDLIM#Rate limit bad replies options ACCEPT_FILTER_DATA options ACCEPT_FILTER_HTTP I can't reach the web from the inside, nor can I ssh to my server. Everything seems to be getting hung up on rules 310 and 410. I, of course, want to do away with 32000. In order to get through, I have temporarily added an 'allow all from any to any' at 210. I'll start logging the denys and see what happens. -jason On Fri, Jan 31, 2003 at 11:56:02AM -0500, Steve Bertrand wrote: What part is not working? Can you nat through? Perhaps you could add some logging to see which packets are failing and why. Do you have the following in the kernel? optionsIPFIREWALL optionsIPFIREWALL_VERBOSE optionsIPDIVERT Let us know. Steve Jason Morgan wrote: OK, I've read the man page for IPFW a couple times and I am still having difficulty setting up a working firewall. The firewall acts as a gateway to my inside network as well as a web server and mail server. I also need ssh connectivity from inside and out. Also, one odd thing is that I have a Zyxel Prestige 643 acting as an additional router between me and my DSL connection (I couldn't figure out how to get the router in pure bridging mode). It comes in handy, though, as it has a 4-port switch built in and can also act a firewall and does the PPPoE easy enough. NICs: xl0 as 192.168.1.101 (to Zyxel and outside) dc0 as 10.0.0.1 (inside) Current IPFW config: - # Basics add 00010 pass all from any to any via lo0 add 00020 deny all from any to 127.0.0.0/8 add 00030 deny ip from 127.0.0.0/8 to any add 00040 deny ip from any to any frag # Spoofing Check add 00050 deny all from 10.0.0.0/8 to any in via xl0 add 00060 deny all from 172.16.0.0/12 to any in via xl0 add 00080 allow all from 192.168.1.1 to any in via xl0 add 00085 deny all from 192.168.0.0/16 to any in via xl0 # Divert add 00100 divert natd all from any to any via xl0 # Allowances add 00200 allow all from any to any in via dc0 # Check state of dynamic rules add 00220 check-state # UDP add 00300 allow udp from any to any out setup add 00310 deny udp from any to any established add 00320 allow udp from any to any 53 in via xl0 setup keep-state # TCP add 00400 allow tcp from any to any out setup keep-state add 00410 deny tcp from any to any established add 00420 allow tcp from any to any 22,25,80 in setup keep-state add 32000 allow all from any to any Could anyone offer some advice? Regards, Jason To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Re: IPFW2 denies packet although they match ALLOW rule?
Please wrap your posts (everything except for computer output), below 70-80 columns. It's very hard to read otherwise :-/ Micael Ebbmar [EMAIL PROTECTED] wrote: : Excuse me if I'm posting to the wrong list, I thought at first that : freebsd-ipfw should be the correct one, but obviously only : discussion about the redesign of IPFW should be discussed there. True. : A week ago, I made the transition from IPFW to IPFW2 (on my : 4.7-Stable box), and I thought it would be a good idea to rewrite my : previous stateless rules to stateful. After a few days I noticed in : /var/log security that IPFW once in a while blocks outbound packets : to my pop servers and a webserver, which I've allowed in a previously : rule (0310). I still can pop my mail and browse the web without any : problems, but I'm stil curious why it denies the packets. Can it be : that the stateful rule has expired and the interface is : resending/receiving some old packets? If so, is that normal or an : indication of a broken NIC? Or is any of the sysctl variables : net.inet.ip.fw.* too short? (Haven't touched them yet) Web clients some times cache connections to web servers, hoping to save some time from avoiding a reconnect for every GET request. Could it be that your clients thinks that a cached connection is still valid long after the dynamic ipfw rule has expired? : Log snippet of /var/log/security: : : Nov 8 00:25:42 grendel /kernel: ipfw: 1000 Deny TCP 213.64.x.x:1938 :207.174.189.161:80 out via ep1 : Nov 8 00:26:12 grendel /kernel: ipfw: 1000 Deny TCP 213.64.x.x:1940 :207.174.189.161:80 out via ep1 : Nov 8 00:26:12 grendel /kernel: ipfw: 1000 Deny TCP 213.64.x.x:1938 :207.174.189.161:80 out via ep1 : [...] : And my rules look like this: : : add 0200 reset log tcp from any to any 113 : add 0300 check-state : add 0305 deny tcp from any to any in established : add 0310 allow tcp from any to any out setup keep-state : [...] : add 0350 allow tcp from me to 10.0.0.6 80 setup keep-state Doesn't rule 0310 make rule 0350 redundant? : add 1000 deny log logamount 1000 ip from any to any via ep1 To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Re: IPFW2 denies packet although they match ALLOW rule?
* Giorgos Keramidas [EMAIL PROTECTED] [021109 23:11]: Web clients some times cache connections to web servers, hoping to save some time from avoiding a reconnect for every GET request. Could it be that your clients thinks that a cached connection is still valid long after the dynamic ipfw rule has expired? Well, that's a possibility.. esp. with all those banners that refreshes every now and then. But that doesn't explain why the computer tries to contact the pop servers (through Fetchmail) even after the normal connection has been terminated. Since Fetchmail has finished the conversation with the popservers, the rule terminates. Then after some time, it tries to connect again (note: not initialize, since obviously the SYN isn't set and there it's blocked by rule 1000). I just find it very odd. : Log snippet of /var/log/security: : : Nov 8 00:25:42 grendel /kernel: ipfw: 1000 Deny TCP 213.64.x.x:1938 207.174.189.161:80 out via ep1 : Nov 8 00:26:12 grendel /kernel: ipfw: 1000 Deny TCP 213.64.x.x:1940 207.174.189.161:80 out via ep1 : Nov 8 00:26:12 grendel /kernel: ipfw: 1000 Deny TCP 213.64.x.x:1938 207.174.189.161:80 out via ep1 : [...] : And my rules look like this: : : add 0200 reset log tcp from any to any 113 : add 0300 check-state : add 0305 deny tcp from any to any in established : add 0310 allow tcp from any to any out setup keep-state : [...] : add 0350 allow tcp from me to 10.0.0.6 80 setup keep-state Doesn't rule 0310 make rule 0350 redundant? Ah, sure it is redundant! Thanx for pointing it out :) : add 1000 deny log logamount 1000 ip from any to any via ep1 Cheers, Micke To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
