ipfw check-state issue

From: Adi Tirla (tirlaadi_at_gmail.com)
Date: 11/23/05

  • Next message: Matt Piechota: "Re: Need urgent help regarding security"
    Date: Wed, 23 Nov 2005 01:30:06 +0200
    To: freebsd-security@freebsd.org
    
    

    heya

    i've been using freebsd's ipfw for quite a while and recently on a new
    server i've got this issue with ipfw that i can't understand ... something
    is wrong ...

    01000 8042 1947866 allow ip from any to any via fxp0
    01010 0 0 allow ip from any to any via lo0
    01014 9886 4170269 divert 8668 ip from any to any in via vr0
    01015 0 0 check-state
    01130 14679 5695969 skipto 1800 ip from any to any out via vr0 keep-state
    01300 0 0 deny ip from 192.168.0.0/16 <http://192.168.0.0/16> to any in via
    vr0
    01301 0 0 deny ip from 172.16.0.0/12 <http://172.16.0.0/12> to any in via
    vr0
    01302 4 140 deny ip from 10.0.0.0/8 <http://10.0.0.0/8> to any in via vr0
    01303 0 0 deny ip from 127.0.0.0/8 <http://127.0.0.0/8> to any in via vr0
    01304 0 0 deny ip from 0.0.0.0/8 <http://0.0.0.0/8> to any in via vr0
    01305 0 0 deny ip from 169.254.0.0/16 <http://169.254.0.0/16> to any in via
    vr0
    01306 0 0 deny ip from 192.0.2.0/24 <http://192.0.2.0/24> to any in via vr0
    01307 0 0 deny ip from 204.152.64.0/23 <http://204.152.64.0/23> to any in
    via vr0
    01308 0 0 deny ip from 224.0.0.0/3 <http://224.0.0.0/3> to any in via vr0
    01320 0 0 deny tcp from any to any dst-port 137 in via vr0
    01321 0 0 deny tcp from any to any dst-port 138 in via vr0
    01322 4 192 deny tcp from any to any dst-port 139 in via vr0
    01323 3 144 deny tcp from any to any dst-port 81 in via vr0
    01330 0 0 deny ip from any to any frag in via vr0
    01350 362 71038 deny tcp from any to any established in via vr0
    01400 2879 346276 deny log logamount 10 ip from any to any in via vr0
    01450 0 0 deny log logamount 10 ip from any to any out via vr0
    01800 8049 1944267 divert 8668 ip from any to any out via vr0
    01801 14676 5695755 allow ip from any to any
    01999 0 0 deny log logamount 10 ip from any to any
    65535 758 727615 deny ip from any to any

    please enlighten me why the "almost" standard firewall from the handbook ...
    ain't working properly .... !? look ... the check-state ain't matching any
    packets ... and mostly ... packets skip the rule 1999 ... why?! i've seen
    the "kernel: oups" too many times .... don't tell me i've got a third
    network card cause it ain't so!

    another thing ... if i insert pipes for traffic shaping ... the outgoing
    packets are inserted into the input pipes ... but not into the outgoing
    pipes .... why ?

    i am missing somethin' .... what ?

    kernel compiled with these additional options ....
    options IPFIREWALL
    options IPFIREWALL_VERBOSE
    options IPFIREWALL_VERBOSE_LIMIT=10
    options IPFIREWALL_FORWARD
    options DUMMYNET
    options HZ=1000
    options IPDIVERT
    enlightment please ....

    thanks ...
    bye bye
    _______________________________________________
    freebsd-security@freebsd.org mailing list
    http://lists.freebsd.org/mailman/listinfo/freebsd-security
    To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"


  • Next message: Matt Piechota: "Re: Need urgent help regarding security"

    Relevant Pages

    • Re: ipfw named objejcts, table values and syntax change
      ... I'm currently working on to enhance ipfw in some areas. ... all these changes fully preserve backward compatibility. ... CURRENTLY ipfw uses numeric identifiers in a small range ... for rules, pipes, queues, tables, probably nat instances. ...
      (freebsd-net)
    • Re: ipfw named objejcts, table values and syntax change
      ... I'm currently working on to enhance ipfw in some areas. ... all these changes fully preserve backward compatibility. ... CURRENTLY ipfw uses numeric identifiers in a small range ... for rules, pipes, queues, tables, probably nat instances. ...
      (freebsd-net)
    • [FreeBSD 5.2] Bandwith and packet throttling
      ... my little network here consists of a wireless router branched ... I've tried setting up dummynet pipes to restrict the bandwidth for ... ipfw add pipe 1 all from 10.0.0.8 to any ... The painful delay was to test if the pipes were actually working, ...
      (freebsd-net)
    • ipfw pipe command
      ... I have a question about using pipes in ipfw and hope this is the right ... I have a FreeBSD box connected to a DSL modem at Ethernet 802.3 ... half duplex connection. ...
      (FreeBSD-Security)
    • pipe buckets/hash_size
      ... Max ratio between dynamic queues and buckets ... From man ipfw: "Target value for the maximum number of pipes/queues in a hash bucket. ... Should I change their values so that the product is as large as the expected number of concurrent pipes? ...
      (freebsd-net)