View Full Version : iptables to ipfw
October 17th, 2010, 04:00
Please could anyone tell me how I can pass this syntax for iptables to ipfw.
iptables -A OUTPUT -p tcp --dport 80 -m state --state NEW -m recent --set --name thor --rdest -j ACCEPT
iptables -A INPUT -p tcp -m tcp --tcp-flag RST RST -m state --state ESTABLISHED -m recent --name thor --rcheck --rsource --seconds 1 -j DROP
October 17th, 2010, 21:22
ipfw does not have the 'recent' module, but you might be able to whip something similar together. For starters, check the ipfw manpages, under the RULE OPTIONS section. You can match on tcpflags rst.
What's the purpose of your ruleset in plain English? How I read it is:
allow outbound traffic to tcp 80, and capture the destination IP (for later processing)
if that same destination IP tries to send in (to your host) more than one tcp RST packet per second, drop it
If that's correct, may I ask why you are doing this?
October 17th, 2010, 23:29
I am having a problem with the web server. Web pages not loading or do not or do without style sheets. Apparently the problem is due to a malfunction of your transparent proxy. A group of Linux users have found that ignoring the [RST] received just after sending SYN solved the problem, so they created these two iptables rules.
I've been reading the manual that you mentioned, but I have no knowledge about it and don't know as could adapt these rules to the syntax of ipfw.
Sorry for my english
October 18th, 2010, 00:14
@dot357, that sounds like a very unpleasant kludge. It seems like it would be better to establish cause and effect, and solve the problem at the web server (or proxy?) level. What transparent proxy are you using?
October 18th, 2010, 00:45
I totally agree with you, but the problem is that the transparent proxy belongs to my ISP and apparently did not know how to solve the problem. I prefer to think it is ignorance to think that not solve the problem because it only affects a tiny fraction of customers.
October 18th, 2010, 00:51
I have added this rule to ipfw:
deny tcp from any to me in rst tcpflags
But I do not know if this rule does exactly what I've posted.
I'll try this.
vBulletin® v3.8.7, Copyright ©2000-2013, vBulletin Solutions, Inc.