From owner-freebsd-questions Wed Sep 18 18: 8:55 2002 Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3EAEB37B4B7 for ; Wed, 18 Sep 2002 18:08:49 -0700 (PDT) Received: from smtp.comcast.net (smtp.comcast.net [24.153.64.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id B1CE143E65 for ; Wed, 18 Sep 2002 18:08:48 -0700 (PDT) (envelope-from dfolkins@comcast.net) Disposition-notification-to: dfolkins@comcast.net Received: from groovy3xp (pcp01731796pcs.selrsv01.pa.comcast.net [68.83.131.193]) by mtaout04.icomcast.net (iPlanet Messaging Server 5.1 HotFix 0.8 (built May 13 2002)) with SMTP id <0H2N0058IV6NWM@mtaout04.icomcast.net> for freebsd-questions@freebsd.org; Wed, 18 Sep 2002 21:08:48 -0400 (EDT) Date: Wed, 18 Sep 2002 21:08:40 -0400 From: dfolkins Subject: Re: ipfw, natd, and keep-state - unexpected dynamic rules generated To: barbish@a1poweruser.com, freebsd-questions@freebsd.org Message-id: <001201c25f79$17414430$0a00a8c0@groovy3xp> MIME-version: 1.0 X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 X-Mailer: Microsoft Outlook Express 6.00.2600.0000 Content-type: text/plain; charset=utf-8 Content-transfer-encoding: 7BIT X-Priority: 3 X-MSMail-priority: Normal References: Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG From: "JoeB" To: "dfolkins" Sent: Tuesday, September 17, 2002 11:54 AM Subject: RE: ipfw, natd, and keep-state - unexpected dynamic rules generated > So you have fallen into the dirty secret about FBSD and IPFW/keep-state. > IPFW/natd can not use the keep-state option. It's not a problem in IPFW but > in NATD. IPFW/keep-state works like documented when NAT is done outside of > IPFW like when you use user ppp -nat to connect to your ISP over modem, but > when your have cable modem or DSL that uses DHCP you are forced to go to > IPFW/NATD which will not work with keep-state. If you try to contact the > ipfw maint team about this problem all you will get is the runaround. I also > have cable access and I spent months trying to get IPFW/NATD keep-state to > work. Finally had to go to IPFILTER/IPNAT which has keep-state working. > > For more details > http://www.freebsd-howto.com/HOWTO/Ipfw-Advanced-Supplement-HOWTO hm, i took a look at that howto, and it seems that my ipfw ruleset follows the guidelines there. but still there is that strange short-lived rule popping up which is not addressed or explained there... i guess the easy way out would be to switch to ipf/ipnat, but i am curious as to what that strange rule is all about in ipfw... thanks for the howto link, though, it was a good read. -- dfolkins > -----Original Message----- > From: owner-freebsd-questions@FreeBSD.ORG > [mailto:owner-freebsd-questions@FreeBSD.ORG]On Behalf Of dfolkins > Sent: Tuesday, September 17, 2002 11:26 AM > To: freebsd-questions@freebsd.org > Subject: ipfw, natd, and keep-state - unexpected dynamic rules generated > > hi everybody, > > i have a fbsd 4.6 router box sitting between a local net (192.168.0.255) and > a > single actual ip from a cable modem. naturally, ive set up natd and ipfw on > it, but instead of going the old way with the semi-stateful rules i decided > to go with keep-state/check-state. but problems arise with outgoing ssh > connections. here is the relevant portion of my ipfw rules: > > #set up NAT > ${fwcmd} add 00050 divert natd all from any to any via ${oif} > > # Allow the packet through if it has previous been added to the > # the "dynamic" rules table by an allow keep-state statement. > $fwcmd add 00200 check-state > > # Run all private LAN $iif packet traffic through the dynamic rules > # table so the IP addresses are in sync with Natd. > $fwcmd add 00220 allow all from any to any via $iif keep-state > > # Deny all fragments as bogus packets > $fwcmd add 00240 deny log all from any to any frag in via $oif > > # Deny ACK packets that did not match the dynamic rule table > $fwcmd add 00260 deny log tcp from any to any established in via $oif > > # Allow out ssh connections > $fwcmd add 00640 allow tcp from any to any 22 out via $oif setup keep-state > > seems like this should work, right? initiating an ssh connection with an > external > host, and checking the dynamic rules (ipfw -ad list), the following two > rules are generated: > > 00220 84 12080 (T 599, slot 109) <-> tcp, 192.168.0.10 3106<-> {external > host ip} 22 > 00640 26 2130 (T 19, slot 166) <-> tcp, {my external ip} 3106<-> {external > host ip} 22 > > the rule for my external ip, though, only gets the lifetime value from the > syn_lifetime sysctl var, which is 20 seconds, and only the first rule > apparently gets the acks through it and gets a 600sec lifetime that is set > in ack_lifetime. any other packets sent through teh connections reset the > lifetime of the above two rules to 600 and 20 again. this would not trouble > me otherwise, but as soon as the second rule (20 sec) expires, the ssh > connection dies. > > when i remove the word "setup" from rule 640, though, ssh connection does > not die. the same two dynamic rules are created, with the same lifetimes, > but when the short-lived rule expires the connection is still there, upon > sending any data through it the short-lived rule does not get recreated. i > am kinda stumped here. > > any ideas? whats wrong with my rules? any help would be appreciated. > > i've posted this to -security before, but have not gotten an authoritative > answer as to the reason this is happening, and i guess if same happens here > i will post on -ipfw. and yes, i _have_ been advised to switch to > ipnat/ipfilter, but thats cheating :). for that matter, so is removing > "setup" from the above rule 640. > > thank you all in advance. > > -- > dfolkins > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-questions" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message