From owner-freebsd-ipfw Thu Feb 14 9:37: 6 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from iguana.icir.org (iguana.icir.org [192.150.187.36]) by hub.freebsd.org (Postfix) with ESMTP id B7FE137B416; Thu, 14 Feb 2002 09:36:50 -0800 (PST) Received: (from rizzo@localhost) by iguana.icir.org (8.11.6/8.11.3) id g1EHalf57727; Thu, 14 Feb 2002 09:36:47 -0800 (PST) (envelope-from rizzo) Date: Thu, 14 Feb 2002 09:36:47 -0800 From: Luigi Rizzo To: Michael Sierchio Cc: freebsd-ipfw@FreeBSD.ORG, freebsd-net@FreeBSD.ORG Subject: Re: Bug in stateful code? Message-ID: <20020214093647.A57238@iguana.icir.org> References: <3C6BE90D.3020108@tenebras.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <3C6BE90D.3020108@tenebras.com> User-Agent: Mutt/1.3.23i Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Thu, Feb 14, 2002 at 08:42:53AM -0800, Michael Sierchio wrote: > > I've sent this to Luigi and a couple of other folks without reply, > so here it is. the reply was that keep-state and natd are very hard to use together, and besides it is rather useless because natd is stateful by itself. This said, we have only so much time to do things. Sure, i do not exclude a-priori the possibility of a bug, but it sounds more lilely to be a misconfiguration of your ruleset, and since the example you are presenting has no reasonable application (that i can see -- again, i'm happy to be proved wrong), i do not feel like spending an hour or two trying to infer what is on your [some static rules], and i'll happily leave you the job to explain where the bug (which means reconstruct the flow of packets in and out of the ipfw and show which one is dealt in the wrong way). cheers luigi > I'm seeing what I believe to be a bug in the stateful filter code > for ipfw/ip_fw. Here's my original message: > > ============================================================================= > > Running ipfw w/natd, connections through the gateway are dying. Two > dynamic > rules get instantiated for each connection through the gateway -- one > with NAT'd addresses and one revealing the private addresses > > $on = external net = X.Y.Z/24 > $in = internal net = A.B.C/24 (192.168.1.0/24) > > the external IP is X.Y.Z.23 > the internal IP is A.B.C.1 > > firewall rules: > > [some static rules...] > > $fw add divert natd ip from any to any via $external_interface > > $fw add check-state > > $fw add allow tcp from $in to any setup keep-state > $fw add allow udp from $in to any keep-state > > $fw add allow tcp from $on to any setup keep-state > $fw add allow udp from $on to any keep-state > > > An ssh connection from A.B.C.4 to X.Y.Z.44 causes the following dynamic > rules > to appear: > > > 02400 15 3197 (T 16, slot 760) <-> tcp, X.Y.Z.23 1549<-> X.Y.Z.44 22 > 02200 45 9151 (T 296, slot 913) <-> tcp, A.B.C.4 1549<-> X.Y.Z.44 22 > > Note 02400 -- this connection timer seems to indicate that it is waiting for > a completed 3-way handshake and hasn't seen the other SYN. The connection > dies > because the time counts down. The timer for 02200 doesn't count down > because > the keep-alives are resetting it. > > Any insight as to why this is happening? Seems like a bug in the state > machine. > I could be convinced otherwise, but it seems that these two rules should > see the connection as being in the same state -- they both see the same > packets. BTW, I could simplify this by safely allowing > > > $fw add divert natd ip from any to any via $external_interface > > $fw add check-state > > $fw add allow ip from $in to any > $fw add allow ip from any to $in > > $fw add allow tcp from $on to any setup keep-state > $fw add allow udp from $on to any keep-state > > But the dynamic rule on the public side still seem to be using > net.inet.ip.fw.dyn_syn_lifetime instead of net.inet.ip.fw.dyn_ack_lifetime. > > Comments? > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-ipfw" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message