Date: Fri, 04 Oct 2002 11:57:17 -0500 From: Greg Panula <greg.panula@dolaninformation.com> To: Aragon Gouveia <aragon@phat.za.net> Cc: freebsd-questions@freebsd.org Subject: Re: ipfw stateful help - strange behaviour Message-ID: <3D9DC86D.8F2D12ED@dolaninformation.com> References: <20021004153554.GD5787@phat.za.net>
next in thread | previous in thread | raw e-mail | index | archive | help
This post is more for -questions, since -security is now just a discussion forum. Try this ruleset: 00100 check-state 00500 allow tcp from any to 66.8.x.y 80 keep-state 01000 deny tcp from any to 66.8.x.y 80 65535 allow ip from any to any With the above ruleset, rule 500 will create an entry in the state table for both the intital set-up and then the actual connection. The previous 500 rule(allow tcp from any to 66.8.x.y 80 keep-state setup) was only entering a rule into the state table for setup part of the connection. Cheers, Greg Aragon Gouveia wrote: > > Hi, > > I'm having a problem with ipfw's stateful operation which I can't quite > figure out. Let me start with my ruleset. > > 00100 check-state > 00500 allow tcp from any to 66.8.x.y 80 keep-state setup > 01000 deny tcp from any to 66.8.x.y 80 > 65535 allow ip from any to any > > Ok this ruleset works great from all my machines. But I'm noticing a lot of > traffic is hitting rule 1000. When enabling logging on rule 1000, I see > around 10 hits a minute. I know it could be arbly generated packets directed > at 66.8.x.y on port 80, but with this frequency it doesn't look right. > > So I changed my ruleset slightly to this : > > 00100 check-state > 00500 allow tcp from any to 66.8.x.y 80 keep-state setup > 01000 fwd 66.8.b.c,34501 tcp from any to 66.8.x.y 80 > 65535 allow ip from any to any > > This allowed me to analyse what was hitting rule 1000 by running tcpdump on > 66.8.b.c. Here's the output : > > 17:06:45.824689 0:10:b5:42:7d:69 0:20:ed:34:c9:6c 0800 60: 213.155.147.226.61175 > 66.8.x.y.80: R 1312082120:1312082120(0) win 0 (DF) > 17:06:45.824722 0:10:b5:42:7d:69 0:20:ed:34:c9:6c 0800 60: 213.155.147.226.61175 > 66.8.x.y.80: R 1312082120:1312082120(0) win 0 > 17:07:42.377830 0:10:b5:42:7d:69 0:20:ed:34:c9:6c 0800 60: 212.125.65.237.23973 > 66.8.x.y.80: . ack 1478932865 win 7300 (DF) > 17:07:42.393216 0:10:b5:42:7d:69 0:20:ed:34:c9:6c 0800 60: 212.125.65.237.23853 > 66.8.x.y.80: . ack 1478195413 win 7300 (DF) > 17:07:42.393275 0:10:b5:42:7d:69 0:20:ed:34:c9:6c 0800 60: 212.125.65.237.23971 > 66.8.x.y.80: . ack 1478797841 win 7300 (DF) > 17:07:42.393343 0:10:b5:42:7d:69 0:20:ed:34:c9:6c 0800 60: 212.125.65.237.24168 > 66.8.x.y.80: . ack 1479411419 win 7300 (DF) > 17:07:42.423224 0:10:b5:42:7d:69 0:20:ed:34:c9:6c 0800 60: 212.125.65.237.24170 > 66.8.x.y.80: . ack 1479562687 win 7300 (DF) > 17:07:45.421580 0:10:b5:42:7d:69 0:20:ed:34:c9:6c 0800 60: 212.125.65.237.24170 > 66.8.x.y.80: . ack 1 win 7300 (DF) > 17:07:45.422375 0:10:b5:42:7d:69 0:20:ed:34:c9:6c 0800 60: 212.125.65.237.23853 > 66.8.x.y.80: . ack 1 win 7300 (DF) > 17:07:45.424352 0:10:b5:42:7d:69 0:20:ed:34:c9:6c 0800 60: 212.125.65.237.23971 > 66.8.x.y.80: . ack 1 win 7300 (DF) > 17:07:45.511551 0:10:b5:42:7d:69 0:20:ed:34:c9:6c 0800 60: 212.125.65.237.23973 > 66.8.x.y.80: . ack 1 win 7300 (DF) > 17:07:45.511607 0:10:b5:42:7d:69 0:20:ed:34:c9:6c 0800 60: 212.125.65.237.24168 > 66.8.x.y.80: . ack 1 win 7300 (DF) > > Okay, what gives - no SYN packets. So I checked the state table a few > seconds after these packets were forwarded to 66.8.b.c and : > > 00500 227 135562 (T 252, slot 78) <-> tcp, 213.155.147.226 61162<->66.8.x.y 80 > 00500 101 33708 (T 254, slot 92) <-> tcp, 213.155.147.226 61176<->66.8.x.y 80 > 00500 3 132 (T 299, slot 149) <-> tcp, 212.125.65.237 24638<-> 66.8.x.y 80 > 00500 3 132 (T 299, slot 150) <-> tcp, 212.125.65.237 24637<-> 66.8.x.y 80 > > So it looks like the connections are matching the 'setup' flag and entering > the state table, but they're not being matched by 'check-state' on further > communication. Any ideas? > > I'm using IPFW1 on 4.7-RC. > > Thanks, > Aragon > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3D9DC86D.8F2D12ED>