From owner-freebsd-current@FreeBSD.ORG Sat Oct 27 19:01:15 2007 Return-Path: Delivered-To: freebsd-current@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 9B76716A421 for ; Sat, 27 Oct 2007 19:01:15 +0000 (UTC) (envelope-from darrenr@freebsd.org) Received: from out1.smtp.messagingengine.com (out1.smtp.messagingengine.com [66.111.4.25]) by mx1.freebsd.org (Postfix) with ESMTP id 74D2013C4AC for ; Sat, 27 Oct 2007 19:01:15 +0000 (UTC) (envelope-from darrenr@freebsd.org) Received: from compute1.internal (compute1.internal [10.202.2.41]) by out1.messagingengine.com (Postfix) with ESMTP id E12D53CDFF; Sat, 27 Oct 2007 15:01:14 -0400 (EDT) Received: from heartbeat2.messagingengine.com ([10.202.2.161]) by compute1.internal (MEProxy); Sat, 27 Oct 2007 15:01:14 -0400 X-Sasl-enc: NOl9JK+r8SQJwtyOaJjXTp4EzI/GMdJH9PM5EAyWZwVt 1193511674 Received: from [192.168.1.235] (64-142-85-108.dsl.dynamic.sonic.net [64.142.85.108]) by mail.messagingengine.com (Postfix) with ESMTP id 6342D13E8E; Sat, 27 Oct 2007 15:01:14 -0400 (EDT) Message-ID: <47238AEC.4050900@freebsd.org> Date: Sat, 27 Oct 2007 12:01:00 -0700 From: Darren Reed User-Agent: Thunderbird 2.0.0.0 (Windows/20070326) MIME-Version: 1.0 To: Peter Kieser References: <47201ED8.2090600@wingless.org> In-Reply-To: <47201ED8.2090600@wingless.org> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-current@freebsd.org Subject: Re: ipv6 ipfilter + keep state bug? (releng_7) X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 27 Oct 2007 19:01:15 -0000 Peter Kieser wrote: > Hello, > > I'm having similar issues (intermittent connectivity as if the dynamic > rule table isn't being kept properly) using IP Filter with IPv6 and > keep state rules as I was having with ipfw (see "ipfw2 keep-state + > IPv6 on RELENG_7"), IPv4 keep state rules work as expected. I've > verified that it is not infact a network problem (adding an "allow > all" fixes the problem again). > > My rules are as follows, CVSup from today (Wed Oct 24 10:54:23 PDT), > em0 is my external interface: > > pass in quick on lo0 all > pass out quick on lo0 all > pass out quick on em0 keep state > pass in quick on em0 proto tcp from any to any port = 22 This is asking for trouble, regardless of which firewall you use. For best performance, the "keep state" part should be triggered by a rule that mentions the TCP SYN flag somewhere. So for IPFilter, the rule should be: pass in quick on em0 proto tcp from any to any port = 22 flags S keep state (for inbound ssh) and for outboud ssh, you should have an explicit rule like this for tcp: pass out quick on em0 proto tcp all flags S keep state If you don't trigger stateful filtering on SYN packets then the firewall doesn't have a chance to record the window scaling options that are present in the SYN/SYN-ACK packets at the start of a connection and thus can't correctly determine if packets coming later are inside or outside the TCP window. Darren