IPFW Trying to understand how work dynamic rules

Ishayahu

Ishayahu

This is a test bench. Here is my rules on router:
Code: 
00005   0     0 allow ip from any to any via rl0
00010  68 13624 allow ip from any to any via lo0
00101   0     0 check-state :default
00119 357 29096 allow tcp from any to 172.22.5.171 4322 in via age0 keep-state :default
00120  11   872 allow tcp from 172.22.5.171 4322 to any out via age0 keep-state :default
00130   6   567 allow ip from 172.22.5.171 to 8.8.8.8 53 out via age0 keep-state :default
00131   0     0 allow ip from 8.8.8.8 53 to 172.22.5.171 in via age0 keep-state :default
00250   0     0 allow icmp from any to any out via age0 keep-state :default
00250   0     0 allow icmp from any to any in via age0 keep-state :default
00300   0     0 allow tcp from 172.22.5.171 to any 80 out via age0 keep-state :default
00310   0     0 allow tcp from any 80 to 172.22.5.171 in via age0 keep-state :default
00400   0     0 allow tcp from 172.22.5.171 to any 443 out via age0 keep-state :default
00410   0     0 allow tcp from any 443 to 172.22.5.171 in via age0 keep-state :default
01001  68  6653 deny ip from any to any
65535   0     0 deny ip from any to any
## Dynamic rules (1 136):
00119 184 14672 (1s) STATE tcp 172.22.0.127 53748 <-> 172.22.5.171 4322 :default

172.22.5.171 - is wan router ip
4322 - port for ssh


I have a few questions, but first: as I understand it, rule 119 is created when I connect to the router via ssh and then all packets for that connection go through this rule. Why, then, are there a number of packets that have gone through rule 120?
 
Last edited by a moderator:
Rule 120 allows any outgoing connection to initiate from 172.22.5.171 that happens to use 4322 as a source port (source ports are picked randomly). This has nothing to do with replies from established connections, those are covered by the dynamic rule. It's all about which side initiates the connection.

You need to learn about the TCP "three-way" handshake and how a connection is initiated. Because that's where your confusion lies.
 
SirDice said:
Rule 120 allows any outgoing connection to initiate from 172.22.5.171 that happens to use 4322 as a source port (source ports are picked randomly). This has nothing to do with replies from established connections, those are covered by the dynamic rule. It's all about which side initiates the connection.

You need to learn about the TCP "three-way" handshake and how a connection is initiated. Because that's where your confusion lies.
Click to expand...

But if sshd listens on 4322 no one else can use that port to initiate connection, right?

Or do you mean that connection is established only after
1) receiving syn by server (rule 119)
2) sending ack+syn from server (rule 120)
3) receiving ack by server (rule 119 again)

So rule 120 is needed to establish connection?
 
In TCP dynamic states use "setup keep-state"
In ICMP and UDP dynamic states use "keep-state"

and read ipfw(8) (STATEFUL FIREWALL)

So without "setup" option you are not matching the tcpflags for syn that's why they match your next rule 120.
Also instead of filtering every posible outgoing connection you can use something like: (adjust rule numbers according your rule set)
01100 check-state :default
01200 allow tcp from me to any established
01300 allow tcp from me to any setup keep-state :default
01400 allow udp from me to any keep-state :default
01500 allow icmp from me to any keep-state :default
01600 allow ipv6-icmp from me to any keep-state :default


setup Matches TCP packets that have the SYN bit set but no ACK bit.
This is the short form of "tcpflags syn,!ack".

keep-state [:flowname]
Upon a match, the firewall will create a dynamic rule, whose de-
fault behaviour is to match bidirectional traffic between source
and destination IP/port using the same protocol. The rule has a
limited lifetime (controlled by a set of sysctl(8) variables),
and the lifetime is refreshed every time a matching packet is
found. The :flowname is used to assign additional to addresses,
ports and protocol parameter to dynamic rule. It can be used for
more accurate matching by check-state rule. The :default keyword
is special name used for compatibility with old rulesets.
Click to expand...
 
You must log in or register to reply here.
Back
Top