From owner-freebsd-security Fri Sep 13 10:31:11 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1534F37B400 for ; Fri, 13 Sep 2002 10:31:05 -0700 (PDT) Received: from peak.mountin.net (peak.mountin.net [207.227.119.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4B61843E42 for ; Fri, 13 Sep 2002 10:31:05 -0700 (PDT) (envelope-from jeff-ml@mountin.net) Received: (from daemon@localhost) by peak.mountin.net (8.9.1/8.9.1) id MAA16558; Fri, 13 Sep 2002 12:31:04 -0500 (CDT) (envelope-from jeff-ml@mountin.net) Received: from mke-24-167-197-76.wi.rr.com(24.167.197.76) by peak.mountin.net via smap (V1.3) id sma016556; Fri Sep 13 12:30:42 2002 Message-Id: <4.3.2.20020913111417.023fb670@207.227.119.2> X-Sender: jeff-ml@207.227.119.2 X-Mailer: QUALCOMM Windows Eudora Version 4.3 Date: Fri, 13 Sep 2002 12:29:23 -0500 To: dfolkins , freebsd-security@FreeBSD.ORG From: "Jeffrey J. Mountin" Subject: Re: ipfw, natd, and keep-state - strange behavior? In-Reply-To: <000a01c25ad8$0ee04610$0a00a8c0@groovy3xp> References: <20020912152423.M3276-100000@walter> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org At 11:45 PM 9/12/02 -0400, dfolkins wrote: >now this is a very interesting discussion and all, but um, could someone >take a look at what i posted originally and tell me why there is this rogue >short-lived dynamic rule popping up and what i can do about it that does >_not_ involve making non-stateful rules? pretty please? :) it would really >appreciate it. Ran into this when tinkering with dynamic rules and checking out the features of IPFW2. It is not a rouge connection. The problem I saw was the connection would time out and the external host would then try opening a connection on a different port, which would be denied. Did not find a solution or answer, though it was supposedly answered by Ruslan Ermilov according to a message posted to -ipfw on Feb 13th, 2002 and yet was indirect: Keep-state combined with divert is really tricky. Search ML archives for a possible solution. I posted them once. Keep state works without NAT, which is how I use it on stand-alone systems. Might want to try some "log" sprinkling, check the log, and then try a second rule for the external IP. Am not sure if the connection is initiated from the eIP or to. Didn't get around to that. Removing the "setup" from the rule only means that the first packet in the 3-way isn't necessary for a dynamic rule to be created. It may be that adding a similar rule for the eIP *before* divert is the trick. Whether it needs to be in or out is also in question. Changing timeouts is not an option for a decent firewall and TCP keepalives (new with IPFW2) will only work with an established connection. *Or* IPFW needs a method of relating connections. Otherwise doing stateful FTP will not work either (or require opening the door a bit more). Will guess that IPFilter does this and why it works better with stateful rules. The fact that it harvests the LHF (thanks for answering that Darren) makes it more DOS resistant when incoming connections are involved. A solution for IPFW would be an excellent addition to a how-to. I'd imagine this should otherwise move to -doc or -ipfw. Would rather have somewhere to point someone than just tell them this is OT for -security. Jeff Mountin - jeff@mountin.net Systems/Network Administrator FreeBSD - the power to serve To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message