ipfw statefull ruleset problem

From: Gerard Meijer (gmeijer_at_palmweb.nl)
Date: 01/29/05

  • Next message: Thomas Foster: "Re: enable linux compatibility" 
    To: <freebsd-questions@freebsd.org>
Date: Sat, 29 Jan 2005 17:39:53 +0100

    Hi everyone,

    I have a question regarding my statefull ipfw ruleset. I have the following rules:

    ---begin---
    $cmd 00015 check-state

    #www
    $cmd 00200 allow tcp from any to any 80 out via $pif setup keep-state

    #mail
    $cmd 00231 allow tcp from any to any 110 out via $pif setup keep-state

    #ftp
    $cmd 00283 allow tcp from any to any 21 out via $pif setup keep-state

    # Allow in standard www function because I have apache server
    $cmd 00400 allow tcp from any to me 80 in via $pif setup limit src-addr 2

    # Allow in FTP
    $cmd 00410 allow tcp from any to me 21 in via $pif setup limit src-addr 2

    # Allow in mail
    $cmd 00420 allow tcp from any to me 110 in via $pif
    ---end---
    (there are a lot more rules, but these are the ones that it's about)

    The problem that I'm having is that I can't check mail, and can't FTP and see a lot of:

    ipfw: 299 Deny TCP [my-server-ip]:80 [some-ip]:[some-port-other-than-80] out via em0

    messages in my logfile.

    When I try to check mail I see in my log:

    ipfw: 299 Deny TCP [my-server-ip]:110 [my-home-pc-ip]:[some-port-other-than-110] out via em0

    What happens (I think, as far as I understand ipfw), there is an connection setup on port 21/80/110 (ftp/http/mail), which is allowed by the rules. A dynamic rules is created, but then the other computer switches ports. The check-state command checks for a dynamic rule, but the port doesn't match anymore and so it doesn't find a dynamic rule and the other rules also don't apply, since they only allow connection initialization. Am I correct?

    I can solve all this by putting in the rule:

    # $cmd 00020 allow tcp from any to any established

    But I learned that that is not the right way to do this in a statefull ruleset, because the dynamic rules don't have any use in this way. So what is the right way to solve this?

    Thanks a lot in advance!
    _______________________________________________
    freebsd-questions@freebsd.org mailing list
    http://lists.freebsd.org/mailman/listinfo/freebsd-questions
    To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org"

  • Next message: Thomas Foster: "Re: enable linux compatibility"

    Relevant Pages

    • Help with IPFW + NATD + Passive FTP
      ... passive FTP connections through IPFW with NATD enabled. ... $cmd 005 allow all from any to any via dc0 ... # Interface facing Public internet ... # Allow out access to my ISP's Domain name server. ...
      (freebsd-questions)
    • Re: Command Window and FTP Prompt
      ... The password doesnt move in CMD line FTP when you type a password. ... US - Windows Core:SOLID ... The cursor at the password prompt would just blink ...
      (microsoft.public.windowsxp.basics)
    • Re: vbscript does .exec("ftp"), then hangs while accessing stdout and stderr
      ... Transfers files to and from a computer running an FTP server service ... I would do run the ftp from script with syntax like this in your run cmd ... > Dim oStdout, oStdin ...
      (microsoft.public.scripting.vbscript)
    • publicfiles ftpd and urllib2
      ... *cmd* 'USER anonymous' ... *resp* "230 Hi. ... I'm an anonymous ftp server." ... *cmd* 'CWD fedora' ...
      (comp.lang.python)
    • Re: Capturing output from ftp
      ... The "special number" is a reply code, as specified in the FTP protocol. ... Whether something gets sent to standard output may depend on the way the ... Some command output obviously counts as valid and some doesn't ... if you're going to be doing a lot of this interacting with remote ...
      (Debian-User)