From owner-freebsd-ipfw  Thu Feb 14 13:59:44 2002
Delivered-To: freebsd-ipfw@freebsd.org
Received: from iguana.icir.org (iguana.icir.org [192.150.187.36])
	by hub.freebsd.org (Postfix) with ESMTP
	id 75CDD37B416; Thu, 14 Feb 2002 13:59:40 -0800 (PST)
Received: (from rizzo@localhost)
	by iguana.icir.org (8.11.6/8.11.3) id g1ELxao59263;
	Thu, 14 Feb 2002 13:59:36 -0800 (PST)
	(envelope-from rizzo)
Date: Thu, 14 Feb 2002 13:59:36 -0800
From: Luigi Rizzo <rizzo@icir.org>
To: Michael Sierchio <kudzu@tenebras.com>
Cc: freebsd-ipfw@FreeBSD.ORG, freebsd-net@FreeBSD.ORG
Subject: Re: Bug in stateful code?
Message-ID: <20020214135936.A59207@iguana.icir.org>
References: <3C6BE90D.3020108@tenebras.com> <20020214093647.A57238@iguana.icir.org> <3C6C2180.3020704@tenebras.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <3C6C2180.3020704@tenebras.com>
User-Agent: Mutt/1.3.23i
Sender: owner-freebsd-ipfw@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-ipfw.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-ipfw>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-ipfw>
X-Loop: FreeBSD.ORG

On Thu, Feb 14, 2002 at 12:43:44PM -0800, Michael Sierchio wrote:
> >..., i do not feel like spending
> >an hour or two trying to infer what is on your [some static rules],
> >and i'll happily leave you the job to explain where the bug (which
> >means reconstruct the flow of packets in and out of the ipfw and
> >show which one is dealt in the wrong way).
> 
> I'd be happy to share the static rules -- and AFAIK I did give a hint
> as to what the problem is.  What kind of evidence do you want, in
> particular?

> I have a tcpdump that shows the packet exchange,  shows SYN from each
> host,  and demonstrates that the dynamic rule is in the wrong state,
> using the wrong timer.  This could easily have something to do with

the only reason why the rule can be "in the wrong state" as you
say, is that the packet you are waiting for never reaches the
rule. Whihc in turn boils down to a misconfiguration of the ruleset.
A tcpdump alone, even taken on both sides, is not enough because the packet goes
like this:

	input interface
	ip_input()
	ipfw up to the natd rule
	natd
	rest of ipfw ruleset
	ip_output() (if gateway is enabled)
	ipfw up to the natd rule
	natd
	rest of ipfw ruleset

where is it dropped, you ight probably figure out with a bit of
experimenting and lookinga  at ipfw counters and possibly
running natd in verbose mode.

	luigi

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ipfw" in the body of the message