IPFW ipfw auto deny tcp

[kilo]

Hello all friends,

I have setup ipfw on FreeBSD 10.0-RELEASE with rule :

00001 allow ip from any to any via lo0
00002 check-state
00005 allow ip from any to any via lagg0
00006 deny ip from table(1) to any in
00009 netgraph 100 tcp from any to any tcpflags syn via lagg1
00010 allow tcp from table(2) to any dst-port 53714 in via lagg1 setup keep-state
00015 allow icmp from XXXXXXXXXXXX to any in via lagg1
00016 allow icmp from YYYYYYYYYYYYY  to any in via lagg1
00020 allow tcp from me to any out via lagg1 setup uid root keep-state
00020 allow icmp from me to any out via lagg1 setup uid root keep-state
00100 allow tcp from any to any dst-port 80 in via lagg1 setup keep-state
00101 allow tcp from any to any dst-port 443 in via lagg1 setup keep-state
00102 allow tcp from any to any dst-port 80 out via lagg1 setup keep-state
00103 allow tcp from any to any dst-port 443 out via lagg1 setup keep-state
00200 deny log ip from any to any in via lagg0
00201 deny log ip from any to any
65535 deny ip from any to any

I don't know why did some logs deny appear . Example:

Jan  1 22:13:54 frontend302 kernel: ipfw: 201 Deny TCP 111.111.111.111:443 A.A.A.A:33938 out via lagg1
Jan  1 22:13:54 frontend302 kernel: ipfw: 201 Deny TCP 111.111.111.111:443 B.B.B.B:18536 out via lagg1
Jan  1 22:13:56 frontend302 kernel: ipfw: 201 Deny TCP 111.111.111.111:443 D.D.D.D:60024 out via lagg1
Jan  1 22:13:56 frontend302 kernel: ipfw: 201 Deny TCP 111.111.111.111:443 Q.Q.Q.Q:52336 out via lagg1
Jan  1 22:13:56 frontend302 kernel: ipfw: 201 Deny TCP 111.111.111.111:443 H.H.H.H:27774 out via lagg1
Jan  1 22:13:57 frontend302 kernel: ipfw: 201 Deny TCP 111.111.111.111:443 A.A.A.A:33938 out via lagg1
Jan  1 22:13:57 frontend302 kernel: ipfw: 201 Deny TCP 111.111.111.111:443 D.D.D.D:61732 out via lagg1
Jan  1 22:13:58 frontend302 kernel: ipfw: 201 Deny TCP C.C.C.C:42002        111.111.111.112:81 in via lagg1
Jan  1 22:13:59 frontend302 kernel: ipfw: 201 Deny TCP 111.111.111.111:443  Q.Q.Q.Q:26656 out via lagg1
Jan  1 22:14:01 frontend302 kernel: ipfw: 201 Deny TCP 176.119.4.18:49900   111.111.111.111:7277 in via lagg1
Jan  1 22:14:01 frontend302 kernel: ipfw: 201 Deny TCP 111.111.111.111:443 B.B.B.B:54268 out via lagg1
Jan  1 22:14:02 frontend302 kernel: ipfw: 201 Deny TCP 111.111.111.111:443 D.D.D.D:50688 out via lagg1
Jan  1 22:14:03 frontend302 kernel: ipfw: 201 Deny TCP 111.111.111.111:443 A.A.A.A:33938 out via lagg1
Jan  1 22:14:03 frontend302 kernel: ipfw: 201 Deny TCP Q.Q.Q.Q:60000        111.111.111.111:9833 in via lagg1
Jan  1 22:14:03 frontend302 kernel: ipfw: 201 Deny TCP 111.111.111.111:443 Q.Q.Q.Q:29930 out via lagg1

I know rule "00201 deny log ip from any to any" is going to deny packets. But I really don't know , how rule 201 deny it and why did logs appear? Please help me.

Thanks

 

[johnblue]

I am not an ipfw user but I know that it operates on a "first match wins" methodology. Based upon that observation, it would make sense that rule 201 is snagging that traffic because nothing preceding 201 was matched.

A deny "any/any" is quite a club to be swinging there so looks like you need to get a bit more granular with your allow statements.

 

[SirDice]

I have setup ipfw on FreeBSD 10.0-RELEASE

FreeBSD 10.0 has been End-of-Life since Februari 2015 and is not supported any more.

Topics about unsupported FreeBSD versions
https://www.freebsd.org/security/unsupported.html

 

[johnblue]

FreeBSD 10.0 has been End-of-Life ..

Nice catch Dice.