# iptables to ipfw



## dot357 (Oct 17, 2010)

Please could anyone tell me how I can pass this syntax for iptables to ipfw.


```
iptables -A OUTPUT -p tcp --dport 80 -m state --state NEW -m recent --set --name thor --rdest -j ACCEPT

iptables -A INPUT -p tcp -m tcp --tcp-flag RST RST -m state --state ESTABLISHED -m recent --name thor --rcheck --rsource --seconds 1 -j DROP
```


Thanks.


----------



## anomie (Oct 17, 2010)

ipfw does not have the 'recent' module, but you might be able to whip something similar together. For starters, check the ipfw(8) manpages, under the RULE OPTIONS section. You can match on *tcpflags rst*. 

What's the purpose of your ruleset in plain English? How I read it is: 

 allow outbound traffic to tcp 80, and capture the destination IP (for later processing)
 if that same destination IP tries to send in (to your host) more than one tcp RST packet per second, drop it

If that's correct, may I ask why you are doing this?


----------



## dot357 (Oct 17, 2010)

I am having a problem with the web server. Web pages not loading or do not or do without style sheets. Apparently the problem is due to a malfunction of your transparent proxy. A group of Linux users have found that ignoring the [RST] received just after sending SYN solved the problem, so they created these two iptables rules.
I've been reading the manual that you mentioned, but I have no knowledge about it and don't know as could adapt these rules to the syntax of ipfw.

Sorry for my english

Thk


----------



## anomie (Oct 18, 2010)

@dot357, that sounds like a very unpleasant kludge. It seems like it would be better to establish cause and effect, and solve the problem at the web server (or proxy?) level. What transparent proxy are you using?


----------



## dot357 (Oct 18, 2010)

I totally agree with you, but the problem is that the transparent proxy belongs to my ISP and apparently did not know how to solve the problem. I prefer to think it is ignorance to think that not solve the problem because it only affects a tiny fraction of customers.


----------



## dot357 (Oct 18, 2010)

I have added this rule to ipfw:


```
deny tcp from any to me in rst tcpflags
```
But I do not know if this rule does exactly what I've posted.
I'll try this.


----------

