Date: Mon, 7 Aug 2006 07:32:07 +0200 From: Anders Nordby <anders@FreeBSD.org> To: =?iso-8859-1?Q?S=E9bastien_A=2E?= VALSEMEY <sebastien.valsemey@vsystems.eu> Cc: freebsd-net@freebsd.org Subject: Re: IPF and OOW problems Message-ID: <20060807053207.GA38003@totem.fix.no> In-Reply-To: <009e01c68e18$0e1738c0$0da7a8c0@FR.B3W> References: <009e01c68e18$0e1738c0$0da7a8c0@FR.B3W>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi, The current version of IP Filter in FreeBSD has bugs in the handling of TCP out-of-window checks. Check/follow http://www.freebsd.org/cgi/query-pr.cgi?pr=kern/98978 for a solution. On Mon, Jun 12, 2006 at 02:02:17PM +0200, Sébastien A. VALSEMEY wrote: > Hello, > > I currently have a FreeBSD 6.1-STABLE box configured as a router/firewall with ipfilter v4.1.8. > > <WAN> > WAN_IP/32 > | > tun0 > | > |---------| > | FreeBSD | > |---------| > / \ > xl0 xl1 > / \ > <LAN> <DMZ> > 192.168.0.0/24 DMZ_BLOCK/29 > > I often experience in my ipf logs such packet drops (the following example is for an active upload on a FTP server located on the > first IP of the DMZ network). My IPs have been voluntary hidden for privacy purposes. > > ipmon[329]: 13:12:41.185263 tun0 @0:110 b REMOTE_WAN_IP,8600 -> DMZ_IP_1,20 PR tcp len 20 1300 -A IN OOW > ipmon[329]: 13:12:41.186493 tun0 @0:110 b REMOTE_WAN_IP,8600 -> DMZ_IP_1,20 PR tcp len 20 356 -AP IN OOW > > Packet drop occurs a few seconds after the beginning of the transfer, even allowing a few kilobytes to be uploaded, which means that > the connection establishes well. > > And on another hand, when I try to reach DMZ machines from the LAN (for example via RDP), I am systematically dropped with the same > kind of OOW packet, I mean the connection is not even established. > > As ICMP is allowed on the whole network, I can traceroute and reach each host in the network, from inside and outside (except for > the natted LAN...). The IP masquerading for hosts located on LAN works perfectly as they can go on the Internet without any problem. > > When I add the two following lines in my ipf ruleset, everything runs smoothly (but insecured!): > pass in quick all > pass out quick all > > I heard that such problems occur with the same version of ipf on Solaris > (http://msgs.securepoint.com/cgi-bin/get/ipfilter-0605/28.html), but I am not sure it happens because of that. > > What I did wrong? > > Thank you by advance for your help. > > Here are extracts from my main configuration files: > > [/etc/rc.conf] > <... *snip*! ...> > firewall_enable="NO" > firewall_script="/etc/rc.firewall" > firewall_type="/etc/rc.firewall.rules" > firewall_logging="YES" > gateway_enable="YES" > icmp_drop_redirects="YES" > ifconfig_lo0="inet 127.0.0.1" > ifconfig_xl0="inet 192.168.0.254 netmask 255.255.255.0" > ifconfig_xl1="inet DMZ_IP_6 netmask 255.255.255.248" > ipfilter_enable="YES" > ipfilter_rules="/etc/ipf.rules" > ipnat_enable="YES" > ipnat_program="/sbin/ipnat" > ipnat_rules="/etc/ipnat.rules" > ipnat_flags="" > ipmon_enable="YES" > ipmon_program="/sbin/ipmon" > ipmon_flags="-Ds" > kern_securelevel="0" > kern_securelevel_enable="NO" > network_interfaces="lo0 xl0 xl1" > ppp_enable="YES" > ppp_mode="ddial" > ppp_nat="NO" > ppp_profile="My_ISP_PROFILE" > <... *snip*! ...> > > > > [/etc/ipf.rules] > # Allow localhost traffic > pass in quick on lo0 all > pass out quick on lo0 all > > # Allow all outgoing traffic from this gateway > pass out quick on tun0 from any to any keep state > pass out quick on tun0 proto tcp from any to any keep state > pass out quick on xl0 from any to 192.168.0.0/24 keep state > pass out quick on xl0 proto tcp from any to 192.168.0.0/24 keep state > pass out quick on xl1 from any to DMZ_BLOCK/29 keep state > pass out quick on xl1 proto tcp from any to DMZ_BLOCK/29 keep state > > # Allow ICMP traffic (for testing purposes) > pass in quick on xl0 proto icmp from 192.168.0.0/24 to any keep state > pass in quick on xl1 proto icmp from DMZ_BLOCK/29 to any keep state > pass in quick on tun0 proto icmp from any to 192.168.0.0/24 keep state > pass in quick on tun0 proto icmp from any to DMZ_BLOCK/29 keep state > pass out quick proto icmp from any to any keep state > > # Allow FTP server > pass in quick on tun0 proto tcp from any to DMZ_IP_1/32 port = ftp-data keep state > pass in quick on xl0 proto tcp from 192.168.0.0/24 to DMZ_IP_1/32 port = ftp-data keep state > pass in quick on tun0 proto tcp from any to DMZ_IP_1/32 port = ftp keep state > pass in quick on xl0 proto tcp from 192.168.0.0/24 to DMZ_IP_1/32 port = ftp keep state > # This is for the passive ports range... > pass in quick on tun0 proto tcp from any to DMZ_IP_1/32 port 4000 >< 4049 keep state > pass in quick on xl0 proto tcp from 192.168.0.0/24 to DMZ_IP_1/32 port 4000 >< 4049 keep state > > # Allow Terminal services > pass in quick on tun0 proto tcp from any to DMZ_IP_1/32 port = rdp keep state > pass in quick on xl0 proto tcp from 192.168.0.0/24 to DMZ_IP_1/32 port = rdp keep state > > # Default > block in log all > block return-rst in log proto tcp from any to any > block return-icmp-as-dest(port-unr) in log proto udp from any to any > > > [/etc/ipnat.rules] > map tun0 192.168.0.0/24 -> WAN_IP/32 > map tun0 192.168.0.0/24 -> WAN_IP/32 portmap tcp/udp auto > > > [KERNEL_CONFIG] > device bpf > options IPFIREWALL > options IPFIREWALL_VERBOSE > options IPFIREWALL_DEFAULT_TO_ACCEPT > options IPFILTER > options IPFILTER_LOG > options IPFILTER_DEFAULT_BLOCK > options NETGRAPH > options NETGRAPH_ETHER > options NETGRAPH_PPP > options NETGRAPH_PPPOE > options NETGRAPH_SOCKET > > > > > > _______________________________________________ > freebsd-net@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-net > To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" -- Anders.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20060807053207.GA38003>