Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 14 Mar 2012 20:47:08 -0800
From:      Kevin Oberman <kob6558@gmail.com>
To:        "nyoman.bogi@gmail.com" <nyoman.bogi@gmail.com>
Cc:        freebsd-net@freebsd.org
Subject:   Re: firewall stuck
Message-ID:  <CAN6yY1tQjS_g5C12JSvYWSV75_aSMDbmXsiEX4wnrqthCDvWgg@mail.gmail.com>
In-Reply-To: <CAJsxnXaXG_9UV-MTeij=PSY4e0abKbmqW6QMWMph9UUTTCNMRg@mail.gmail.com>
References:  <CAJsxnXY7aHNf7dvG%2BQLVqziWQe8HLHbFbttN-vNsai-MbOVCMA@mail.gmail.com> <CAN6yY1v1O9QiN3bAZ3jPJvzX=xsLAauSXJJjwhrZPYSnBfK_uw@mail.gmail.com> <CAJsxnXaXG_9UV-MTeij=PSY4e0abKbmqW6QMWMph9UUTTCNMRg@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help 
Please don't top post. It makes following the thread very difficult.
(Yes, I know too many MUAs make this difficult.)

 > On Wed, Mar 14, 2012 at 1:12 PM, Kevin Oberman <kob6558@gmail.com> wrote:
>>
>> On Tue, Mar 13, 2012 at 7:27 PM, nyoman.bogi@gmail.com
>> <nyoman.bogi@gmail.com> wrote:
>> > dear guru,
>> >
>> > every time I open my firewall to allow SSH connection from Internet
>> > after few days my firewall always stuck. Stuck in here meaning
>> > that it deny all request (deny any from any).
>> > And after I "ipfw disable firewall" and then "ipfw enable firewall"
>> > everything works fine
>> >
>> > when I checked /var/log/messages I found lots of attempts
>> > people try to connect to my machine.
>> > why my machine get stuck when lots of people try to SSH to my machine?
>>
>> We need a bit more information, especially your ipfw configuration. Is
>> it a statefull firewall? It sounds a lot like your state table might
>> be filling for some reason. Of course, if it is not a statefull
>> firewall, that idea is probably wrong, though it could be a
>> misconfiguration of some statefull rule that is inadvertently catching
>> the SSH attempts.
>>
>> Have you done an 'ipfw show' to see what rules are being matched? it
>> may or may not provide a clue.
>> --
>> R. Kevin Oberman, Network Engineer
>> E-mail: kob6558@gmail.com
On Wed, Mar 14, 2012 at 6:04 PM, nyoman.bogi@gmail.com
<nyoman.bogi@gmail.com> wrote:
> thanks Kevin,
> this is my "ipfw show" :
>
> 00100  4352617  2413620288 allow ip from any to any via lo0
> 00200        0           0 deny ip from any to 127.0.0.0/8
> 00300        0           0 deny ip from 127.0.0.0/8 to any
> 00400        0           0 deny ip from any to ::1
> 00500        0           0 deny ip from ::1 to any
> 00600    54387     5454184 allow icmp from any to any
> 00700  3142231  1681082246 allow ip from 10.1.1.28 to 10.1.1.0/26
> 00800  4659459  4478397111 allow ip from 10.1.1.0/26 to 10.1.1.28
> 00900        0           0 check-state
> 01000   137997    89083135 allow tcp from 10.1.1.28 to any setup keep-state
> 01100        0           0 allow tcp from 10.16.10.84 to any setup
> keep-state
> 01150   401205   276677828 allow tcp from any to 10.1.1.28 dst-port 22 setup
> keep-state
> 01200   245718    44249729 allow udp from 10.1.1.28 to any keep-state
> 01300  5876930   239194755 allow tcp from any to any established
> 01400        0           0 allow tcp from any to 10.1.1.28 dst-port 389
> setup keep-state
> 01500 26341187 22030370786 allow tcp from any to 10.1.1.28 dst-port 80 setup
> keep-state
> 01600    80945    61013964 allow tcp from any to 10.1.1.28 dst-port 443
> setup keep-state
> 01700        0           0 allow tcp from 10.1.1.2 to 10.1.1.28 dst-port 22
> setup keep-state
> 01800   149642    97939477 allow tcp from any to 10.1.1.28 dst-port 25 setup
> keep-state
> 01900      140        7501 allow tcp from 10.1.0.0/16 to 10.1.1.28 dst-port
> 110 setup keep-state
> 02000  1677982    89212845 allow tcp from any to 10.1.1.28 dst-port 110
> setup keep-state
> 02100     8996      432096 deny tcp from any to any setup
> 02200   244111    24117256 allow udp from any to 10.1.1.28 dst-port 53
> keep-state
> 02300        0           0 allow udp from any to 10.1.1.12 dst-port 53
> keep-state
> 65535     4610     1422974 deny ip from any to any
>
> I use FreeBSD 8.2 :
> FreeBSD 8.2-RELEASE (GENERIC) #0: Fri Feb 18 02:24:46 UTC 2011
>
> the problem start after I add rule 01150

so you do have a stateful rule for ssh. Putting stateful rules on
services is risky because you always open yourself to DOS, ether
intentionally or by accident. Every stateful access requires resources
from a limited pool. You can look at this pool information with:
sysctl net.inet.ip.fw | grep dyn
man ipfw describes them in the "SYSCTL VARIABLES" section.

I am wondering why you want a stateful rule for this. It's very risky
and it looks like you are getting bitten, either by accident or a
deliberate effort to DOS you. I suspect the former.
-- 
R. Kevin Oberman, Network Engineer
E-mail: kob6558@gmail.com

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAN6yY1tQjS_g5C12JSvYWSV75_aSMDbmXsiEX4wnrqthCDvWgg>