IPFW ipfw blocks responses after FreeBSD upgrade

zigfrid

zigfrid

Hello

Since I upgraded my FreeBSD from 12.0 to 13.2, I have problems with ipfw.
For example, if I send a http request from my laptop (192.168.11.7) to the printer (10.50.0.22), ipfw blocks the response from the printer:
Code: 
Oct  5 10:34:08 mail kernel: ipfw: 2199 Deny TCP 10.50.0.22 192.168.11.7 in via em1 (frag 30657:18@1400)

Although keep-state option is used. These are my ipfw rules:
Code: 
1001 check-state
2001 allow all from 192.168.11.7 to any keep-state
2199 deny log all from any to 192.168.10.0/23

Could you please help me with this problem?
 
my guess is the traffic is fragmented and doesn't match the dynamic rule at 1001. Check both MTU of the interfaces and investigate why the fragmentation is happening or reassemble the fragments before passing them into the filtering.

Also it's better to set the keep-state per protocol like this

Code: 
allow tcp from me to any setup keep-state
allow udp from me to any keep-state
allow icmp from me to any keep-state
allow ipv6-icmp from me to any keep-state

example for reass:
Code: 
ipfw add reass all from 10.50.0.22 to me in
 
@VladiBG
Thank you for the tip. I'm going to figure out what is going on with fragmentation and I'll be back with response later.
 
VladiBG

I fugured out where the problem was. FreeBSD is connected to the Next Generation Firewall. There is the option "honoring the 'do not fragment'" was disabled.
I enabled it and and now packets are not fragmented.
So it wasn't fault of the FreebBSD.

Thank you helped me to sort it out.
 
You must log in or register to reply here.
Back
Top