From owner-freebsd-ipfw Sun May 27 18:46:30 2001 Delivered-To: freebsd-ipfw@freebsd.org Received: from gate.killian.com (gate.killian.com [205.179.65.162]) by hub.freebsd.org (Postfix) with ESMTP id 09FD437B422 for ; Sun, 27 May 2001 18:46:27 -0700 (PDT) (envelope-from earl@killian.com) Received: (from smtp@localhost) by gate.killian.com (8.11.1/8.11.1) id f4S1kQ982534 for ; Sun, 27 May 2001 18:46:26 -0700 (PDT) (envelope-from earl@killian.com) Received: from oboe-w.killian.com(199.165.155.21), claiming to be "oboew.hq.tensilica.com" via SMTP by gate.killian.com, id smtpdE82072; Mon May 28 01:46:16 2001 From: "Earl A. Killian" MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <15121.44514.950000.542481@oboew.hq.tensilica.com> Date: Sun, 27 May 2001 18:46:10 -0700 To: freebsd-ipfw@freebsd.org Subject: keep-state questions X-Mailer: VM 6.92 under 21.4 (patch 0) "Solid Vapor" XEmacs Lucid Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG I had an ipfw firewall that was working fine without using state (e.g. based on /etc/rc.firewall). I decided to "upgrade" to using check-state/keep-state to avoid the potential problems of static rules. I did not find any documentation, howtos, etc. on how to do this. I simply did what I considered the obvious thing, but it did not work right. Although I have analyzed the problem and understand it, I am curious if anyone has any examples of the best way to do this. The fix I come up with may not be as optimal as community wisdom has invented. My non-working first attempt boiled down to <> divert natd all from any to any via ${oif} check-state <> The basic problem is that the firewall is invoked twice, on both input and output. A host on the inside initiates a connection by sending a SYN packet from INSIDE-IP to OUTSIDE-IP. This was accepted via one of the filters and a keep-state was done. Next, the kernel determines that the packet is destined for outside, so it is run through the rules a second time on the way out. This time it is diverted to natd which rewrites it to a packet from OIF-IP to OUTSIDE-IP. Another dynamic rule is created for this by a susequent keep-state. When the SYN ACK comes back from OUTSIDE-IP to GATE, it is diverted on input to natd, which rewrites it as OUTSIDE-IP to INSIDE-IP. This hits the check-state and is accepted by the first dynamic rule created above, and ups the lifetime of the rule to 1000s. However, the second dynamic rule created above will eventually time out (it has only a 20s lifetime because it never sees the SYN ACK), at which point the connection is blocked (further packets from INSIDE-IP to OUTSIDE-IP will be dropped on the floor on output). One way to fix this would be to augment the rules to accept anything output from the gateway to the internet: <> divert natd all from any to any via ${oif} allow all from ${oip} to any out xmit ${oif} check-state <> This will prevent the need for the second dynamic rule. However, it seems to compromise security somewhat since it is fairly permissive, and generally one follows the rule that anything not required is denied. Comments? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message