IPFW table blocks IP not in table

gariac

Member

Reaction score: 1
Messages: 39

Digital Ocean droplet:
Code:
# uname -a
FreeBSD theranch 10.3-RELEASE-p11 FreeBSD 10.3-RELEASE-p11 #0: Mon Oct 24 18:49:24 UTC 2016     root@amd64-builder.daemonology.net:/usr/obj/usr/src/sys/GENERIC  amd64
I have two ipfw tables. Both are created with scripts in the same manner. Here are a few lines for example:
Code:
service nginx stop
ipfw table 1 flush
#cambridge
ipfw table 1 add  128.232.110.28
#caylx socalled edu
ipfw table 1 add  162.247.72.0/24
ipfw table 1 add  162.247.73.0/24
ipfw table 1 add  162.247.74.0/24
WIthin rc.firewall, I have rules such as:
Code:
${fwcmd} add  553 deny log all  from 'table(1)' to any dst-port  143
My problem is the firewall occasionally blocks me even though my IP is not in the table.

For example, I am occasionally assigned an IP of the format 208.xxx.xxx.xxx. Dumping the appropriate table, created with
ipfw table 1 list
Code:
207.244.64.0/18 0
207.244.144.0/20 0
207.250.234.100/32 0
207.254.208.0/20 0
209.11.0.0/16 0
209.15.0.0/20 0
209.15.16.0/23 0
209.15.18.0/23 0
209.15.20.0/22 0
The ipfw table seems to be sequential, but I ran it through a sort just to be sure.

I see no reason to be blocked. That said, is there some simple way to test a particular IP address against an ipfw table to see what entry is causing the block.

I'm starting to think this is a bug, but more likely due to virtualization rather than FreeBSD, but I need to be sure it isn't pilot error.
 
OP
G

gariac

Member

Reaction score: 1
Messages: 39

OK, I'm onto something here. I had an entry:
Code:
ipfw -q table 1 add 209.133.124.0/
that should be
Code:
ipfw -q table 1 add 209.133.124.0/24
Thus is was pilot error. If anyone is curious how I found this, I took the shell script and did a binary search of sorts. Basically I cut the list in half each time until I had such a small list that I could eyeball it.

I don't know if this qualifies as a bug, but basically the behavior is of the command is somewhat undefined if the CIDR isn't terminated with a number.
So is there an appropriate XKCD comic?
 

SirDice

Administrator
Staff member
Administrator
Moderator

Reaction score: 9,114
Messages: 33,671

So is there an appropriate XKCD comic?
I do have some acronyms that come to mind. PEBKAC (Problem Exists Between Keyboard And Chair); PICNIC (Problem In Chair, Not In Computer) :D

Sorry, it's Friday afternoon, almost beer o'clock ;)
 
Top