[ previous ] [ next ] [ threads ]
 From:  Fred Wright <fw at well dot com>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] Delete/disable certain ipfw rules?
 Date:  Tue, 17 Aug 2004 13:12:49 -0700 (PDT)
On Tue, 17 Aug 2004, Frederick Page wrote:

> the following rules (ipfstat -hnio) do only harm here (block wanted
> traffic and even own outgoing packets):
> 1395 @14 skip 1 in proto tcp from any to any flags S/FSRA
>   79 @15 block in log quick proto tcp from any to any
> 1040 @16 block in log quick on sis0 from any to any head 100
> Is there a way to disable/delete them? I tried "ipfw set disable 16"
> but only got error "setsockopt (IP_FW_DEL) protocol not available".

A little knowledge can be a dangerous thing. :-)

Rule 14 doesn't block anything.  It's *skipping over* rule 15 in order to
allow TCP initial SYN packets to reach further filter processing.  The
counter tells you how many TCP connections have been initiated.

Rule 15 ostensibly blocks all TCP, but since initial SYNs skip over it,
and packets for established connections are supposed to get passed by the
stateful filter before reaching *any* rules, it's not supposed to block
anything legitimate at all.  However, due to IPFilter bugs, sometimes
legitimate TCP packets don't get passed by the stateful filter, and that's
where they land.  You can't tell a priori whether the count represents
attempted attacks or filter glitches, but it usually tends to be the
latter.  BTW, not all glitches have any operational impact.

Rule 16 heads a group, and is only actually applied if none of the rules
within the group match.  M0n0wall uses group 100 for the LAN, so the
counter represents LAN-originated traffic that you have *not* allowed in
your WebGUI rules.  The rules you configure under "LAN" show up as "group
100" here.

					Fred Wright