From owner-freebsd-questions  Thu Feb 14  8:49:42 2002
Delivered-To: freebsd-questions@freebsd.org
Received: from laptop.tenebras.com (laptop.tenebras.com [66.92.188.18])
	by hub.freebsd.org (Postfix) with SMTP id 7097337B41B
	for <questions@freebsd.org>; Thu, 14 Feb 2002 08:49:30 -0800 (PST)
Received: (qmail 27244 invoked from network); 14 Feb 2002 16:49:24 -0000
Received: from sapphire.tenebras.com (HELO tenebras.com) (66.92.188.241)
  by 0 with SMTP; 14 Feb 2002 16:49:24 -0000
Message-ID: <3C6BEA94.6090205@tenebras.com>
Date: Thu, 14 Feb 2002 08:49:24 -0800
From: Michael Sierchio <kudzu@tenebras.com>
User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:0.9.7) Gecko/20020131
X-Accept-Language: en-us
MIME-Version: 1.0
To: abuse@freebsd.org, questions@freebsd.org
Subject: [Fwd: Re: Bug in stateful code?]
Content-Type: multipart/mixed;
 boundary="------------090801060102070203000908"
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-questions.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-questions>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-questions>
X-Loop: FreeBSD.ORG

This is a multi-part message in MIME format.
--------------090801060102070203000908
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit


I got this from an autoresponder subscribed to one of the two lists
I sent this to.  Ack!

 From - Thu Feb 14 08:43:52 2002
X-UIDL: 1013705015.27188.laptop.tenebras.com
X-Mozilla-Status: 0011
X-Mozilla-Status2: 00000000
Return-Path: <daemon@n170.usww.net>
Delivered-To: kudzu@tenebras.com
Received: (qmail 27186 invoked from network); 14 Feb 2002 16:43:34 -0000
Received: from n170.usww.net (216.104.145.170)
   by 0 with SMTP; 14 Feb 2002 16:43:34 -0000
Received: (from daemon@localhost)
	by n170.usww.net (8.11.6/8.11.6) id g1EGlLJ18034
	for kudzu@tenebras.com; Thu, 14 Feb 2002 11:47:21 -0500 (EST)
	(envelope-from daemon)
X-info0: (Date:Thu, 14 Feb 2002 11:47:21 -0500 (EST))(Date:Thu, 14 Feb 2002 11:47:21 -0500 (EST))(unk:0)
X-info1: (Date:Thu Feb 14 11:47:21 2002)(Unk:)
X-info2: (Ret:daemon)(Ret:daemon)(DestHost:tenebras.com.)(CID:g1EGlLJ18034)
X-info3: (Loc:n170.usww.net)(Loc:n170.usww.net)(Unk:)(FQDN:usww.net)(MAILDA:MAILER-DAEMON)(Unk:)
X-info4: (PID:18034)(Unk:)(E-SMTP:)(FromH:)(Date:200202141647)
X-info5: (To:kudzu@tenebras.com)(Ver:8.11.6)(Host:n170)(LclUser:Owner of many system processes)(Unk::)
X-info6: (Unk:)(CD:--)(CD:-)(Unk:)(Unk:)(CD:,)
X-info7: (CD:?)(Frm:daemon@localhost)(CD:')(CD:')(CD:")
Date: Thu, 14 Feb 2002 11:47:21 -0500 (EST)
Message-Id: <200202141647.g1EGlLJ18034@n170.usww.net>
X-Accept-Language: en
X-Responder: Auto response
X-Responder: Autoresponder
X-Responder: Do not reply
MIME-Version: 1.0
From: freebsd-ipfw@FreeBSD.ORG,
    freebsd-net@FreeBSD.ORG (freebsd-ipfw@FreeBSD.ORG, freebsd-net@FreeBSD.ORG Auto Responder)
Reply-To: freebsd-ipfw@FreeBSD.ORG, freebsd-net@FreeBSD.ORG
To: kudzu@tenebras.com
Subject: Re: Bug in stateful code?
Content-Type: text/html; charset=us-ascii
Content-Transfer-Encoding: 7bit

<!doctype html public "-//w3c//dtd html 4.0 transitional//en">
<html>
<center><table width=640 CELLPADDING="10"  BGCOLOR="#9dcaf7" BORDER="5"><tr><td>
<!---<td bgcolor="#DDEEFF">--->
<center><font size=4>Thank you for your Email</font></center>
<font color="#0000FF"><b>kudzu@tenebras.com</b></font>, <br>Your message concerning "<b>Bug in stateful code?</b>" was received. We will attend to it as soon as possible.<br><br>

Thank you,<br>
freebsd-ipfw@FreeBSD.ORG, freebsd-net@FreeBSD.ORG<br>
<br>
<b>Looking for a low cost shopping cart with point of sale inventory control.
We have it! Just added you can now accept all major Credit Cards
and PayPal. Easy interfacing to your website. Check us out.
Total shopping cart system <a href="http://dollar-saver.net/">http://dollar-saver.net</a><br>
<br>
Tired of paying everyone else for a shopping cart? Start your own
Shopping Mall with <a href="mallcity.org">Mall City</a> Your per store cost is less than $2.50.
Accepts all major credit cards, PayPal and Ibill.<br>
</b><br>
Be sure to visit the links below for free programs and information<br>
<a href="http://RackSpaceUnlimited.com/">Web sites, Racks Space, Colo Servers</a><br>
<a href="http://usww.com/index2.htm">Many things of interest</a><br>
<a href="http://w8.net/">Search Engine. Add your URL Free</a><br>
<a href="http://E.CyberLinkExchange.com/">Free Banner Exchange 468x60.</a><br>
<a href="http://bdemo.usww.com/">Quick Business web site. 1 Minute setup</a><br>
<a href="http://hdemo.usww.com/">Quick Personal web site. 1 Minute setup</a><br>
<a href="http://usww.com/feedback/ads/">Free Classified Advertising</a><br>
<a href="http://A.CyberLinkExchange.com/">Another Free Banner Exchange 400x40.</a><br>
<a href="http://usashopper.com/">Another Free Banner Exchange, classified and search.</a><br>
<br>
<center><a href="http://usww.com/services/"><img src="http://usww.com/services/images/usww-systems-logo.gif" border=0></a></center>
<br>

<font size=+1><b>If you are concerned about <font color=red>viruses</font> <a href="http://usww.com/services/index.cgi?virus"  target="virus">click here</a><br>
This system is protected by the <a href="http://usww.com/services/index.cgi?virus" target="virus">USWW</a> Server Side Virus scanner and auto responder. Protecting you <font color=red>before</font> you know you need protection.</b></font>
<br><br>
</td></tr></table></center>
<br>


<br> <pre>
---First 50 lines of original message included below----



  I've sent this to Luigi and a couple of other folks without reply,
  so here it is.

  I'm seeing what I believe to be a bug in the stateful filter code
  for ipfw/ip_fw.  Here's my original message:

  =============================================================================

  Running ipfw w/natd,  connections through the gateway are dying.  Two dynamic
  rules get instantiated for each connection through the gateway -- one
  with NAT'd addresses and one revealing the private addresses

  $on = external net = X.Y.Z/24
  $in = internal net = A.B.C/24  (192.168.1.0/24)

  the external IP is X.Y.Z.23
  the internal IP is A.B.C.1

  firewall rules:

  [some static rules...]

  $fw add divert natd ip from any to any via $external_interface

  $fw add check-state

  $fw add allow tcp from $in to any setup keep-state
  $fw add allow udp from $in to any keep-state

  $fw add allow tcp from $on to any setup keep-state
  $fw add allow udp from $on to any keep-state


  An ssh connection from A.B.C.4 to X.Y.Z.44 causes the following dynamic rules
  to appear:


  02400 15 3197 (T 16, slot 760) <-> tcp, X.Y.Z.23 1549<-> X.Y.Z.44 22
  02200 45 9151 (T 296, slot 913) <-> tcp, A.B.C.4 1549<-> X.Y.Z.44 22

  Note 02400 -- this connection timer seems to indicate that it is waiting for
  a completed 3-way handshake and hasn't seen the other SYN.  The connection dies
  because the time counts down.  The timer for 02200 doesn't count down because
  the keep-alives are resetting it.

  Any insight as to why this is happening?  Seems like a bug in the state machine.
  I could be convinced otherwise, but it seems that these two rules should
  see the connection as being in the same state -- they both see the same
  </pre> </html>



--------------090801060102070203000908
Content-Type: message/rfc822;
 name="Re: Bug in stateful code?"
Content-Transfer-Encoding: 8bit
Content-Disposition: inline;
 filename="Re: Bug in stateful code?"