Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 7 Aug 2006 07:32:07 +0200
From:      Anders Nordby <anders@FreeBSD.org>
To:        =?iso-8859-1?Q?S=E9bastien_A=2E?= VALSEMEY <sebastien.valsemey@vsystems.eu>
Cc:        freebsd-net@freebsd.org
Subject:   Re: IPF and OOW problems
Message-ID:  <20060807053207.GA38003@totem.fix.no>
In-Reply-To: <009e01c68e18$0e1738c0$0da7a8c0@FR.B3W>
References:  <009e01c68e18$0e1738c0$0da7a8c0@FR.B3W>

next in thread | previous in thread | raw e-mail | index | archive | help
Hi,

The current version of IP Filter in FreeBSD has bugs in the handling of
TCP out-of-window checks. Check/follow
http://www.freebsd.org/cgi/query-pr.cgi?pr=kern/98978 for a solution.

On Mon, Jun 12, 2006 at 02:02:17PM +0200, Sébastien A. VALSEMEY wrote:
> Hello,
> 
> I currently have a FreeBSD 6.1-STABLE box configured as a router/firewall with ipfilter v4.1.8.
> 
>             <WAN>
>           WAN_IP/32
>               |
>              tun0
>               |
>          |---------|
>          | FreeBSD |
>          |---------|
>           /       \
>         xl0       xl1
>         /           \
>      <LAN>         <DMZ>
> 192.168.0.0/24   DMZ_BLOCK/29
> 
> I often experience in my ipf logs such packet drops (the following example is for an active upload on a FTP server located on the
> first IP of the DMZ network). My IPs have been voluntary hidden for privacy purposes.
> 
> ipmon[329]: 13:12:41.185263 tun0 @0:110 b REMOTE_WAN_IP,8600 -> DMZ_IP_1,20 PR tcp len 20 1300 -A IN OOW
> ipmon[329]: 13:12:41.186493 tun0 @0:110 b REMOTE_WAN_IP,8600 -> DMZ_IP_1,20 PR tcp len 20 356 -AP IN OOW
> 
> Packet drop occurs a few seconds after the beginning of the transfer, even allowing a few kilobytes to be uploaded, which means that
> the connection establishes well.
> 
> And on another hand, when I try to reach DMZ machines from the LAN (for example via RDP), I am systematically dropped with the same
> kind of OOW packet, I mean the connection is not even established.
> 
> As ICMP is allowed on the whole network, I can traceroute and reach each host in the network, from inside and outside (except for
> the natted LAN...). The IP masquerading for hosts located on LAN works perfectly as they can go on the Internet without any problem.
> 
> When I add the two following lines in my ipf ruleset, everything runs smoothly (but insecured!):
> pass in quick all
> pass out quick all
> 
> I heard that such problems occur with the same version of ipf on Solaris
> (http://msgs.securepoint.com/cgi-bin/get/ipfilter-0605/28.html), but I am not sure it happens because of that.
> 
> What I did wrong?
> 
> Thank you by advance for your help.
> 
> Here are extracts from my main configuration files:
> 
> [/etc/rc.conf]
> <... *snip*! ...>
> firewall_enable="NO"
> firewall_script="/etc/rc.firewall"
> firewall_type="/etc/rc.firewall.rules"
> firewall_logging="YES"
> gateway_enable="YES"
> icmp_drop_redirects="YES"
> ifconfig_lo0="inet 127.0.0.1"
> ifconfig_xl0="inet 192.168.0.254 netmask 255.255.255.0"
> ifconfig_xl1="inet DMZ_IP_6 netmask 255.255.255.248"
> ipfilter_enable="YES"
> ipfilter_rules="/etc/ipf.rules"
> ipnat_enable="YES"
> ipnat_program="/sbin/ipnat"
> ipnat_rules="/etc/ipnat.rules"
> ipnat_flags=""
> ipmon_enable="YES"
> ipmon_program="/sbin/ipmon"
> ipmon_flags="-Ds"
> kern_securelevel="0"
> kern_securelevel_enable="NO"
> network_interfaces="lo0 xl0 xl1"
> ppp_enable="YES"
> ppp_mode="ddial"
> ppp_nat="NO"
> ppp_profile="My_ISP_PROFILE"
> <... *snip*! ...>
> 
> 
> 
> [/etc/ipf.rules]
> # Allow localhost traffic
> pass in quick on lo0 all
> pass out quick on lo0 all
> 
> # Allow all outgoing traffic from this gateway
> pass out quick on tun0 from any to any keep state
> pass out quick on tun0 proto tcp from any to any keep state
> pass out quick on xl0 from any to 192.168.0.0/24 keep state
> pass out quick on xl0 proto tcp from any to 192.168.0.0/24 keep state
> pass out quick on xl1 from any to DMZ_BLOCK/29 keep state
> pass out quick on xl1 proto tcp from any to DMZ_BLOCK/29 keep state
> 
> # Allow ICMP traffic (for testing purposes)
> pass in quick on xl0 proto icmp from 192.168.0.0/24 to any keep state
> pass in quick on xl1 proto icmp from DMZ_BLOCK/29 to any keep state
> pass in quick on tun0 proto icmp from any to 192.168.0.0/24 keep state
> pass in quick on tun0 proto icmp from any to DMZ_BLOCK/29 keep state
> pass out quick proto icmp from any to any keep state
> 
> # Allow FTP server
> pass in quick on tun0 proto tcp from any to DMZ_IP_1/32 port = ftp-data keep state
> pass in quick on xl0 proto tcp from 192.168.0.0/24 to DMZ_IP_1/32 port = ftp-data keep state
> pass in quick on tun0 proto tcp from any to DMZ_IP_1/32 port = ftp keep state
> pass in quick on xl0 proto tcp from 192.168.0.0/24 to DMZ_IP_1/32 port = ftp keep state
> # This is for the passive ports range...
> pass in quick on tun0 proto tcp from any to DMZ_IP_1/32 port 4000 >< 4049 keep state
> pass in quick on xl0 proto tcp from 192.168.0.0/24 to DMZ_IP_1/32 port 4000 >< 4049 keep state
> 
> # Allow Terminal services
> pass in quick on tun0 proto tcp from any to DMZ_IP_1/32 port = rdp keep state
> pass in quick on xl0 proto tcp from 192.168.0.0/24 to DMZ_IP_1/32 port = rdp keep state
> 
> # Default
> block in log all
> block return-rst in log proto tcp from any to any
> block return-icmp-as-dest(port-unr) in log proto udp from any to any
> 
> 
> [/etc/ipnat.rules]
> map tun0 192.168.0.0/24  -> WAN_IP/32
> map tun0 192.168.0.0/24  -> WAN_IP/32 portmap tcp/udp auto
> 
> 
> [KERNEL_CONFIG]
> device          bpf
> options         IPFIREWALL
> options         IPFIREWALL_VERBOSE
> options         IPFIREWALL_DEFAULT_TO_ACCEPT
> options         IPFILTER
> options         IPFILTER_LOG
> options         IPFILTER_DEFAULT_BLOCK
> options         NETGRAPH
> options         NETGRAPH_ETHER
> options         NETGRAPH_PPP
> options         NETGRAPH_PPPOE
> options         NETGRAPH_SOCKET
> 
> 
> 
> 
> 
> _______________________________________________
> freebsd-net@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-net
> To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org"


-- 
Anders.



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20060807053207.GA38003>