Hi FreeBSD lovers,
have just noticed an unexpected match in IPFW.
in short : after a successful login via SSH (/var/log/auth.log) it is allowed to access (for some hours) even HTTP just populating "include_tmp" table.
all others attempt to contact the host (/var/log/auth.log and /var/log/security) populates the "exclude_tmp" table; addresses are "sticky" to it for many days.
once a minute the tmp tables swaps with active ones.
"reserved" table has just nets like 0.0.0.0/8, 10.0.0.0/8 and so on and does not swap at all.
what i can't explain myself is : how a packet can match rule 65535 and not the (just preceeding) 1400 ?
maybe the swap between "exclude" and "exclude_tmp" allow such a behavior, even if atomic?
best regards
$witch
have just noticed an unexpected match in IPFW.
sh:
root@Riemann:~ # uname -a
FreeBSD Riemann 14.1-RELEASE-p5 FreeBSD 14.1-RELEASE-p5 GENERIC amd64
root@Riemann:~ # ipfw show
00100 42 1680 allow ip from any to any via lo0
00200 0 0 check-state :default
00300 0 0 deny ip from any to table(reserved)
00400 0 0 deny ip from table(reserved) to any
00500 0 0 allow tcp from me to A.B.C.D setup keep-state :default
00600 9967 508842 deny ip from table(exclude) to any
00700 0 0 allow tcp from table(include) to me 80 setup keep-state :default
00800 9195 1638759 allow tcp from any to me 22 setup keep-state :default
00900 0 0 allow tcp from me to any established
01000 0 0 allow tcp from me to any setup keep-state :default
01100 26 2203 allow udp from me to any keep-state :default
01200 0 0 allow icmp from me to any keep-state :default
01300 0 0 allow icmp from any to any icmptypes 0,3
01400 445 24265 deny log ip from any to any
65535 1 40 deny ip from any to any
root@Riemann:~ # ipfw table all info
--- table(exclude), set(0) ---
kindex: 2, type: addr
references: 1, valtype: legacy
algorithm: addr:radix
items: 14547, size: 1745936
limit: 32767
--- table(include), set(0) ---
kindex: 4, type: addr
references: 1, valtype: legacy
algorithm: addr:radix
items: 25, size: 3296
--- table(reserved), set(0) ---
kindex: 1, type: addr
references: 2, valtype: legacy
algorithm: addr:radix
items: 8, size: 1256
--- table(exclude_tmp), set(0) ---
kindex: 3, type: addr
references: 0, valtype: legacy
algorithm: addr:radix
items: 14546, size: 1745816
limit: 32767
--- table(include_tmp), set(0) ---
kindex: 5, type: addr
references: 0, valtype: legacy
algorithm: addr:radix
items: 25, size: 3296in short : after a successful login via SSH (/var/log/auth.log) it is allowed to access (for some hours) even HTTP just populating "include_tmp" table.
all others attempt to contact the host (/var/log/auth.log and /var/log/security) populates the "exclude_tmp" table; addresses are "sticky" to it for many days.
once a minute the tmp tables swaps with active ones.
"reserved" table has just nets like 0.0.0.0/8, 10.0.0.0/8 and so on and does not swap at all.
what i can't explain myself is : how a packet can match rule 65535 and not the (just preceeding) 1400 ?
maybe the swap between "exclude" and "exclude_tmp" allow such a behavior, even if atomic?
best regards
$witch