From owner-freebsd-net@FreeBSD.ORG Sat Mar 24 17:06:38 2012 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 4645B106566C for ; Sat, 24 Mar 2012 17:06:38 +0000 (UTC) (envelope-from kob6558@gmail.com) Received: from mail-we0-f182.google.com (mail-we0-f182.google.com [74.125.82.182]) by mx1.freebsd.org (Postfix) with ESMTP id C97128FC18 for ; Sat, 24 Mar 2012 17:06:37 +0000 (UTC) Received: by wern13 with SMTP id n13so4436368wer.13 for ; Sat, 24 Mar 2012 10:06:36 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; bh=x9BsfBUzKzMyIeTXdJMpxl/0f28H5vL5+xNCi+vmgF8=; b=XTjSF4xqKJCRs4Ry8SsXPnIbf00cHhe0Q3f/Bn5/e705eifSoVx64dche0WvhlMtDv GjSvcE3ynt/P0oBN5Zf6Pu+7Kt64Tqn+9QAxouR+jIL1j1ysUl/1bMa3SbwL9b8H9AQo JEeLbM6PZNuGrRdjLNrHNim7lh3JrNTC64+e+OztjkDyebq0kC+b2EQa3H8afrMp/X76 920eEynkRb+Ta8PpHhPT8TPd0NKrqCMXcLGpVp4dvxu7cxrfWZtRWvlxZiCh9ZiBWV8T 1WhLpuHeR2wOBdIOK8KqJAlrC1BhfW7Aa8p8AbAh14Is5ZVdssXtbDamuoJVxIGusPYr T+2Q== MIME-Version: 1.0 Received: by 10.180.81.166 with SMTP id b6mr6066359wiy.0.1332608796926; Sat, 24 Mar 2012 10:06:36 -0700 (PDT) Received: by 10.223.143.3 with HTTP; Sat, 24 Mar 2012 10:06:36 -0700 (PDT) In-Reply-To: References: Date: Sat, 24 Mar 2012 10:06:36 -0700 Message-ID: From: Kevin Oberman To: "nyoman.bogi@gmail.com" Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Cc: freebsd-net@freebsd.org Subject: Re: firewall stuck X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 24 Mar 2012 17:06:38 -0000 On Sat, Mar 24, 2012 at 6:30 AM, nyoman.bogi@gmail.com wrote: > On Thu, Mar 15, 2012 at 11:47 AM, Kevin Oberman wrote= : >> >> Please don't top post. It makes following the thread very difficult. >> (Yes, I know too many MUAs make this difficult.) >> >> =A0> On Wed, Mar 14, 2012 at 1:12 PM, Kevin Oberman >> wrote: >> >> >> >> On Tue, Mar 13, 2012 at 7:27 PM, nyoman.bogi@gmail.com >> >> wrote: >> >> > dear guru, >> >> > >> >> > every time I open my firewall to allow SSH connection from Internet >> >> > after few days my firewall always stuck. Stuck in here meaning >> >> > that it deny all request (deny any from any). >> >> > And after I "ipfw disable firewall" and then "ipfw enable firewall" >> >> > everything works fine >> >> > >> >> > when I checked /var/log/messages I found lots of attempts >> >> > people try to connect to my machine. >> >> > why my machine get stuck when lots of people try to SSH to my >> >> > machine? >> >> >> >> We need a bit more information, especially your ipfw configuration. I= s >> >> it a statefull firewall? It sounds a lot like your state table might >> >> be filling for some reason. Of course, if it is not a statefull >> >> firewall, that idea is probably wrong, though it could be a >> >> misconfiguration of some statefull rule that is inadvertently catchin= g >> >> the SSH attempts. >> >> >> >> Have you done an 'ipfw show' to see what rules are being matched? it >> >> may or may not provide a clue. >> >> -- >> >> R. Kevin Oberman, Network Engineer >> >> E-mail: kob6558@gmail.com >> On Wed, Mar 14, 2012 at 6:04 PM, nyoman.bogi@gmail.com >> wrote: >> > thanks Kevin, >> > this is my "ipfw show" : >> > >> > 00100 =A04352617 =A02413620288 allow ip from any to any via lo0 >> > 00200 =A0 =A0 =A0 =A00 =A0 =A0 =A0 =A0 =A0 0 deny ip from any to 127.0= .0.0/8 >> > 00300 =A0 =A0 =A0 =A00 =A0 =A0 =A0 =A0 =A0 0 deny ip from 127.0.0.0/8 = to any >> > 00400 =A0 =A0 =A0 =A00 =A0 =A0 =A0 =A0 =A0 0 deny ip from any to ::1 >> > 00500 =A0 =A0 =A0 =A00 =A0 =A0 =A0 =A0 =A0 0 deny ip from ::1 to any >> > 00600 =A0 =A054387 =A0 =A0 5454184 allow icmp from any to any >> > 00700 =A03142231 =A01681082246 allow ip from 10.1.1.28 to 10.1.1.0/26 >> > 00800 =A04659459 =A04478397111 allow ip from 10.1.1.0/26 to 10.1.1.28 >> > 00900 =A0 =A0 =A0 =A00 =A0 =A0 =A0 =A0 =A0 0 check-state >> > 01000 =A0 137997 =A0 =A089083135 allow tcp from 10.1.1.28 to any setup >> > keep-state >> > 01100 =A0 =A0 =A0 =A00 =A0 =A0 =A0 =A0 =A0 0 allow tcp from 10.16.10.8= 4 to any setup >> > keep-state >> > 01150 =A0 401205 =A0 276677828 allow tcp from any to 10.1.1.28 dst-por= t 22 >> > setup >> > keep-state >> > 01200 =A0 245718 =A0 =A044249729 allow udp from 10.1.1.28 to any keep-= state >> > 01300 =A05876930 =A0 239194755 allow tcp from any to any established >> > 01400 =A0 =A0 =A0 =A00 =A0 =A0 =A0 =A0 =A0 0 allow tcp from any to 10.= 1.1.28 dst-port 389 >> > setup keep-state >> > 01500 26341187 22030370786 allow tcp from any to 10.1.1.28 dst-port 80 >> > setup >> > keep-state >> > 01600 =A0 =A080945 =A0 =A061013964 allow tcp from any to 10.1.1.28 dst= -port 443 >> > setup keep-state >> > 01700 =A0 =A0 =A0 =A00 =A0 =A0 =A0 =A0 =A0 0 allow tcp from 10.1.1.2 t= o 10.1.1.28 dst-port >> > 22 >> > setup keep-state >> > 01800 =A0 149642 =A0 =A097939477 allow tcp from any to 10.1.1.28 dst-p= ort 25 >> > setup >> > keep-state >> > 01900 =A0 =A0 =A0140 =A0 =A0 =A0 =A07501 allow tcp from 10.1.0.0/16 to= 10.1.1.28 >> > dst-port >> > 110 setup keep-state >> > 02000 =A01677982 =A0 =A089212845 allow tcp from any to 10.1.1.28 dst-p= ort 110 >> > setup keep-state >> > 02100 =A0 =A0 8996 =A0 =A0 =A0432096 deny tcp from any to any setup >> > 02200 =A0 244111 =A0 =A024117256 allow udp from any to 10.1.1.28 dst-p= ort 53 >> > keep-state >> > 02300 =A0 =A0 =A0 =A00 =A0 =A0 =A0 =A0 =A0 0 allow udp from any to 10.= 1.1.12 dst-port 53 >> > keep-state >> > 65535 =A0 =A0 4610 =A0 =A0 1422974 deny ip from any to any >> > >> > I use FreeBSD 8.2 : >> > FreeBSD 8.2-RELEASE (GENERIC) #0: Fri Feb 18 02:24:46 UTC 2011 >> > >> > the problem start after I add rule 01150 >> >> so you do have a stateful rule for ssh. Putting stateful rules on >> services is risky because you always open yourself to DOS, ether >> intentionally or by accident. Every stateful access requires resources >> from a limited pool. You can look at this pool information with: >> sysctl net.inet.ip.fw | grep dyn >> man ipfw describes them in the "SYSCTL VARIABLES" section. >> >> I am wondering why you want a stateful rule for this. It's very risky >> and it looks like you are getting bitten, either by accident or a >> deliberate effort to DOS you. I suspect the former. >> -- >> R. Kevin Oberman, Network Engineer >> E-mail: kob6558@gmail.com > > > > thanks a lot Kevin, your hint is really helpful. > I have change the SSH connection into non stateful. > > do you think I should change the HTTP connection into non stateful also? Almost certainly. One of the most common DOS attacks is just to flood a popular port with connection requests and port 80 is the most commonly used. There are ways to mitigate this a bit by quickly dropping the state entry when the 3-way handshake is not completed, but it's still pretty easy to exploit. and, of course, if your website ever gets significant publicity, the number of legitimate connections can cause you trouble. (This is commonly called being "slashdoted".) What you need to do is ask if a stateful firewall is really of any benefit for port 80. What does it help, if anything? For UDP apps, where the protocol does not maintain any state, stateful may make sense, but for TCP, it's less obvious. Can you gethte same benefits from a stateless entry? Perhaps with the addition of tables so block entries can be quickly added and deleted? --=20 R. Kevin Oberman, Network Engineer E-mail: kob6558@gmail.com