Date: Wed, 18 Sep 2002 21:08:40 -0400 From: dfolkins <dfolkins@comcast.net> To: barbish@a1poweruser.com, freebsd-questions@freebsd.org Subject: Re: ipfw, natd, and keep-state - unexpected dynamic rules generated Message-ID: <001201c25f79$17414430$0a00a8c0@groovy3xp> References: <MIEPLLIBMLEEABPDBIEGIEOMCKAA.barbish@a1poweruser.com>
next in thread | previous in thread | raw e-mail | index | archive | help
From: "JoeB" <barbish@a1poweruser.com> To: "dfolkins" <dfolkins@comcast.net> Sent: Tuesday, September 17, 2002 11:54 AM Subject: RE: ipfw, natd, and keep-state - unexpected dynamic rules generated > So you have fallen into the dirty secret about FBSD and IPFW/keep-state. > IPFW/natd can not use the keep-state option. It's not a problem in IPFW but > in NATD. IPFW/keep-state works like documented when NAT is done outside of > IPFW like when you use user ppp -nat to connect to your ISP over modem, but > when your have cable modem or DSL that uses DHCP you are forced to go to > IPFW/NATD which will not work with keep-state. If you try to contact the > ipfw maint team about this problem all you will get is the runaround. I also > have cable access and I spent months trying to get IPFW/NATD keep-state to > work. Finally had to go to IPFILTER/IPNAT which has keep-state working. > > For more details > http://www.freebsd-howto.com/HOWTO/Ipfw-Advanced-Supplement-HOWTO hm, i took a look at that howto, and it seems that my ipfw ruleset follows the guidelines there. but still there is that strange short-lived rule popping up which is not addressed or explained there... i guess the easy way out would be to switch to ipf/ipnat, but i am curious as to what that strange rule is all about in ipfw... thanks for the howto link, though, it was a good read. -- dfolkins > -----Original Message----- > From: owner-freebsd-questions@FreeBSD.ORG > [mailto:owner-freebsd-questions@FreeBSD.ORG]On Behalf Of dfolkins > Sent: Tuesday, September 17, 2002 11:26 AM > To: freebsd-questions@freebsd.org > Subject: ipfw, natd, and keep-state - unexpected dynamic rules generated > > hi everybody, > > i have a fbsd 4.6 router box sitting between a local net (192.168.0.255) and > a > single actual ip from a cable modem. naturally, ive set up natd and ipfw on > it, but instead of going the old way with the semi-stateful rules i decided > to go with keep-state/check-state. but problems arise with outgoing ssh > connections. here is the relevant portion of my ipfw rules: > > #set up NAT > ${fwcmd} add 00050 divert natd all from any to any via ${oif} > > # Allow the packet through if it has previous been added to the > # the "dynamic" rules table by an allow keep-state statement. > $fwcmd add 00200 check-state > > # Run all private LAN $iif packet traffic through the dynamic rules > # table so the IP addresses are in sync with Natd. > $fwcmd add 00220 allow all from any to any via $iif keep-state > > # Deny all fragments as bogus packets > $fwcmd add 00240 deny log all from any to any frag in via $oif > > # Deny ACK packets that did not match the dynamic rule table > $fwcmd add 00260 deny log tcp from any to any established in via $oif > > # Allow out ssh connections > $fwcmd add 00640 allow tcp from any to any 22 out via $oif setup keep-state > > seems like this should work, right? initiating an ssh connection with an > external > host, and checking the dynamic rules (ipfw -ad list), the following two > rules are generated: > > 00220 84 12080 (T 599, slot 109) <-> tcp, 192.168.0.10 3106<-> {external > host ip} 22 > 00640 26 2130 (T 19, slot 166) <-> tcp, {my external ip} 3106<-> {external > host ip} 22 > > the rule for my external ip, though, only gets the lifetime value from the > syn_lifetime sysctl var, which is 20 seconds, and only the first rule > apparently gets the acks through it and gets a 600sec lifetime that is set > in ack_lifetime. any other packets sent through teh connections reset the > lifetime of the above two rules to 600 and 20 again. this would not trouble > me otherwise, but as soon as the second rule (20 sec) expires, the ssh > connection dies. > > when i remove the word "setup" from rule 640, though, ssh connection does > not die. the same two dynamic rules are created, with the same lifetimes, > but when the short-lived rule expires the connection is still there, upon > sending any data through it the short-lived rule does not get recreated. i > am kinda stumped here. > > any ideas? whats wrong with my rules? any help would be appreciated. > > i've posted this to -security before, but have not gotten an authoritative > answer as to the reason this is happening, and i guess if same happens here > i will post on -ipfw. and yes, i _have_ been advised to switch to > ipnat/ipfilter, but thats cheating :). for that matter, so is removing > "setup" from the above rule 640. > > thank you all in advance. > > -- > dfolkins > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-questions" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?001201c25f79$17414430$0a00a8c0>