Date: Thu, 14 Feb 2002 11:47:21 -0500 (EST) From: freebsd-ipfw@FreeBSD.ORG, freebsd-net@FreeBSD.ORG (freebsd-ipfw@FreeBSD.ORG, freebsd-net@FreeBSD.ORG Auto Responder) To: kudzu@tenebras.com Subject: Re: Bug in stateful code? Message-ID: <200202141647.g1EGlLJ18034@n170.usww.net>
next in thread | raw e-mail | index | archive | help
<!doctype html public "-//w3c//dtd html 4.0 transitional//en"> <html> <center><table width=640 CELLPADDING="10" BGCOLOR="#9dcaf7" BORDER="5"><tr><td> <!---<td bgcolor="#DDEEFF">---> <center><font size=4>Thank you for your Email</font></center> <font color="#0000FF"><b>kudzu@tenebras.com</b></font>, <br>Your message concerning "<b>Bug in stateful code?</b>" was received. We will attend to it as soon as possible.<br><br> Thank you,<br> freebsd-ipfw@FreeBSD.ORG, freebsd-net@FreeBSD.ORG<br> <br> <b>Looking for a low cost shopping cart with point of sale inventory control. We have it! Just added you can now accept all major Credit Cards and PayPal. Easy interfacing to your website. Check us out. Total shopping cart system <a href="http://dollar-saver.net/">http://dollar-saver.net</a><br> <br> Tired of paying everyone else for a shopping cart? Start your own Shopping Mall with <a href="mallcity.org">Mall City</a> Your per store cost is less than $2.50. Accepts all major credit cards, PayPal and Ibill.<br> </b><br> Be sure to visit the links below for free programs and information<br> <a href="http://RackSpaceUnlimited.com/">Web sites, Racks Space, Colo Servers</a><br> <a href="http://usww.com/index2.htm">Many things of interest</a><br> <a href="http://w8.net/">Search Engine. Add your URL Free</a><br> <a href="http://E.CyberLinkExchange.com/">Free Banner Exchange 468x60.</a><br> <a href="http://bdemo.usww.com/">Quick Business web site. 1 Minute setup</a><br> <a href="http://hdemo.usww.com/">Quick Personal web site. 1 Minute setup</a><br> <a href="http://usww.com/feedback/ads/">Free Classified Advertising</a><br> <a href="http://A.CyberLinkExchange.com/">Another Free Banner Exchange 400x40.</a><br> <a href="http://usashopper.com/">Another Free Banner Exchange, classified and search.</a><br> <br> <center><a href="http://usww.com/services/"><img src="http://usww.com/services/images/usww-systems-logo.gif" border=0></a></center> <br> <font size=+1><b>If you are concerned about <font color=red>viruses</font> <a href="http://usww.com/services/index.cgi?virus" target="virus">click here</a><br> This system is protected by the <a href="http://usww.com/services/index.cgi?virus" target="virus">USWW</a> Server Side Virus scanner and auto responder. Protecting you <font color=red>before</font> you know you need protection.</b></font> <br><br> </td></tr></table></center> <br> <br> <pre> ---First 50 lines of original message included below---- I've sent this to Luigi and a couple of other folks without reply, so here it is. I'm seeing what I believe to be a bug in the stateful filter code for ipfw/ip_fw. Here's my original message: ============================================================================= Running ipfw w/natd, connections through the gateway are dying. Two dynamic rules get instantiated for each connection through the gateway -- one with NAT'd addresses and one revealing the private addresses $on = external net = X.Y.Z/24 $in = internal net = A.B.C/24 (192.168.1.0/24) the external IP is X.Y.Z.23 the internal IP is A.B.C.1 firewall rules: [some static rules...] $fw add divert natd ip from any to any via $external_interface $fw add check-state $fw add allow tcp from $in to any setup keep-state $fw add allow udp from $in to any keep-state $fw add allow tcp from $on to any setup keep-state $fw add allow udp from $on to any keep-state An ssh connection from A.B.C.4 to X.Y.Z.44 causes the following dynamic rules to appear: 02400 15 3197 (T 16, slot 760) <-> tcp, X.Y.Z.23 1549<-> X.Y.Z.44 22 02200 45 9151 (T 296, slot 913) <-> tcp, A.B.C.4 1549<-> X.Y.Z.44 22 Note 02400 -- this connection timer seems to indicate that it is waiting for a completed 3-way handshake and hasn't seen the other SYN. The connection dies because the time counts down. The timer for 02200 doesn't count down because the keep-alives are resetting it. Any insight as to why this is happening? Seems like a bug in the state machine. I could be convinced otherwise, but it seems that these two rules should see the connection as being in the same state -- they both see the same </pre> </html> --------------090801060102070203000908-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200202141647.g1EGlLJ18034>