From owner-freebsd-stable Mon Sep 9 17: 8:44 2002 Delivered-To: freebsd-stable@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 51B8037B400 for ; Mon, 9 Sep 2002 17:08:38 -0700 (PDT) Received: from bastion.pydo.net (bastion.pydo.net [62.212.97.116]) by mx1.FreeBSD.org (Postfix) with ESMTP id 502C843E65 for ; Mon, 9 Sep 2002 17:08:37 -0700 (PDT) (envelope-from artur@pydo.org) Received: from pydo.org (univers.pydo.org [192.168.0.2]) (using TLSv1 with cipher RC4-MD5 (128/128 bits)) (No client certificate requested) by bastion.pydo.net (Postfix) with ESMTP id 59CE74C300; Tue, 10 Sep 2002 02:08:35 +0200 (CEST) Message-ID: <3D7D37FF.4090704@pydo.org> Date: Tue, 10 Sep 2002 02:08:31 +0200 From: Artur Pydo User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.1) Gecko/20020826 X-Accept-Language: fr-fr, fr, en-us, en MIME-Version: 1.0 To: Darren Reed Cc: Mike Tancsa , ipfilter@coombs.anu.edu.au, stable@freebsd.org Subject: Re: FreeBSD 4.7-PRERELEASE & IPFilter References: <5.1.1.6.0.20020908224413.01f52cd0@marble.sentex.ca> <5.1.1.6.0.20020909083757.04706910@marble.sentex.ca> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-freebsd-stable@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Hi, I found at least one problem with Ipfilter since i upgraded my FreeBSD box from 4.6-STABLE to 4.7-PRERELEASE. It seams that some ACK packets are rejected by Ipfilter even if there are part of an legitimate open TCP connection and freezing it. In my configuration NAT and statefull inspection are activated : map external_interface internal_network/24 -> fw-ext/32 pass in quick on internal_interface proto tcp from internal_network/24 to any flags S/SA keep state keep frags The problem appears only in case of TCP connections (such as an HTTP download) between a remote host and a workstation behind the firewall. I mean the same problem does not appear if i download the same file from the remote server to the firewall box. First the transfer goes fine on the established TCP connection : # ipfstat -t Source IP Destination IP ST PR #pkts #bytes ttl workstation,1061 207.200.85.49,80 4/4 tcp 8524 6986402 119:59:55 # tcpdump -i external_interface ... 01:26:26.626680 207.200.85.49.80 > fw-ext.1061: . 3313935:3315295(1360) ack 600 win 17680 01:26:26.746358 fw-ext.1061 > 207.200.85.49.80: . ack 3315295 win 17680 (DF) 01:26:34.011442 207.200.85.49.80 > fw-ext.1061: . 3315295:3316655(1360) ack 600 win 17680 While on the internal interface : # tcpdump -i internal_interface 01:26:26.626692 207.200.85.49.80 > workstation.1061: . 3313935:3315295(1360) ack 600 win 17680 01:26:26.746331 workstation.1061 > 207.200.85.49.80: . ack 3315295 win 17680 (DF) 01:26:34.011486 207.200.85.49.80 > workstation.1061: . 3315295:3316655(1360) ack 600 win 17680 01:26:34.157138 workstation.1061 > 207.200.85.49.80: . ack 3316655 win 17680 (DF) But the last packet is blocked by the firewall with no known reason (ipflog): 10/09/2002 01:26:34.157159 internal_interface @0:1 b workstation,1061 -> 207.200.85.49,80 PR tcp len 20 40 -A IN At this point all the following ACK packets as an answer for the retransmitted incoming packets are rejected and the TCP connection is frozen. I can easily reproduce this problem and can send more information if you need to diagnose it. If i flush the rules (ipf -Fa) everything goes OK. FYI, Ipfilter is statically built in the kernel. Hope it helps, Best regards, Artur. Mike Tancsa wrote: > > Thanks. Are the changes correct BTW ? I am going to cc to stable as a > number of people have noted and asked this question. > > ---Mike > > At 10:35 PM 09/09/2002 +1000, Darren Reed wrote: > >> In some email I received from Mike Tancsa, sie wrote: >> > The filtering works on my machine... Havent tried NAT yet. BTW, are >> those >> > differences mentioned in the mailing list deliberate ? >> >> No. I suspect they're mostly from people fixing problems when they're >> making changes to the FreeBSD kernel. >> >> Darren To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message