From owner-freebsd-net@FreeBSD.ORG Thu Mar 15 04:53:24 2012 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 2757A106566B for ; Thu, 15 Mar 2012 04:53:24 +0000 (UTC) (envelope-from kob6558@gmail.com) Received: from mail-wi0-f170.google.com (mail-wi0-f170.google.com [209.85.212.170]) by mx1.freebsd.org (Postfix) with ESMTP id AC8228FC15 for ; Thu, 15 Mar 2012 04:53:23 +0000 (UTC) Received: by wibhr17 with SMTP id hr17so7127228wib.1 for ; Wed, 14 Mar 2012 21:53:22 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=oenZDYvDPWVS4a0+kPZYEy4RHzjgIhBzd0RghIk6elE=; b=EQ6lh96SR8puB9sdKNs0k0mZXFD3329ajW4DsfPsMl0o9sC75v1eTifN3vO8XYFKyr fuTq/kOwoEZ0omt7YysyqwIho+k8ygW9AQAfJZiPdMAJ/v7KpxKZkMVLl7+XPt5KuHiP A7Tzqi8fVnc+jcVKq7sBpVqSdY296IMVlum0U3AgwblehRx9/G2LUQhXE/g/FFDZyHj3 XDUGWl7t3XeeMc+e8eEmmxim0U65vICYfS1hxmpY88x2ax4PVzThPkmH1g9Dra6UHFxw Ed9kl4HKxxz550b82oSY/Cz9LIW0rB8cwCBF0VFzd2D8bTsDI0tTFBwDr7srOdtu4lGH 3prg== MIME-Version: 1.0 Received: by 10.180.104.137 with SMTP id ge9mr12012384wib.20.1331786828778; Wed, 14 Mar 2012 21:47:08 -0700 (PDT) Received: by 10.223.143.3 with HTTP; Wed, 14 Mar 2012 21:47:08 -0700 (PDT) In-Reply-To: References: Date: Wed, 14 Mar 2012 20:47:08 -0800 Message-ID: From: Kevin Oberman To: "nyoman.bogi@gmail.com" Content-Type: text/plain; charset=ISO-8859-1 Cc: freebsd-net@freebsd.org Subject: Re: firewall stuck X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 15 Mar 2012 04:53:24 -0000 Please don't top post. It makes following the thread very difficult. (Yes, I know too many MUAs make this difficult.) > On Wed, Mar 14, 2012 at 1:12 PM, Kevin Oberman wrote: >> >> On Tue, Mar 13, 2012 at 7:27 PM, nyoman.bogi@gmail.com >> wrote: >> > dear guru, >> > >> > every time I open my firewall to allow SSH connection from Internet >> > after few days my firewall always stuck. Stuck in here meaning >> > that it deny all request (deny any from any). >> > And after I "ipfw disable firewall" and then "ipfw enable firewall" >> > everything works fine >> > >> > when I checked /var/log/messages I found lots of attempts >> > people try to connect to my machine. >> > why my machine get stuck when lots of people try to SSH to my machine? >> >> We need a bit more information, especially your ipfw configuration. Is >> it a statefull firewall? It sounds a lot like your state table might >> be filling for some reason. Of course, if it is not a statefull >> firewall, that idea is probably wrong, though it could be a >> misconfiguration of some statefull rule that is inadvertently catching >> the SSH attempts. >> >> Have you done an 'ipfw show' to see what rules are being matched? it >> may or may not provide a clue. >> -- >> R. Kevin Oberman, Network Engineer >> E-mail: kob6558@gmail.com On Wed, Mar 14, 2012 at 6:04 PM, nyoman.bogi@gmail.com wrote: > thanks Kevin, > this is my "ipfw show" : > > 00100 4352617 2413620288 allow ip from any to any via lo0 > 00200 0 0 deny ip from any to 127.0.0.0/8 > 00300 0 0 deny ip from 127.0.0.0/8 to any > 00400 0 0 deny ip from any to ::1 > 00500 0 0 deny ip from ::1 to any > 00600 54387 5454184 allow icmp from any to any > 00700 3142231 1681082246 allow ip from 10.1.1.28 to 10.1.1.0/26 > 00800 4659459 4478397111 allow ip from 10.1.1.0/26 to 10.1.1.28 > 00900 0 0 check-state > 01000 137997 89083135 allow tcp from 10.1.1.28 to any setup keep-state > 01100 0 0 allow tcp from 10.16.10.84 to any setup > keep-state > 01150 401205 276677828 allow tcp from any to 10.1.1.28 dst-port 22 setup > keep-state > 01200 245718 44249729 allow udp from 10.1.1.28 to any keep-state > 01300 5876930 239194755 allow tcp from any to any established > 01400 0 0 allow tcp from any to 10.1.1.28 dst-port 389 > setup keep-state > 01500 26341187 22030370786 allow tcp from any to 10.1.1.28 dst-port 80 setup > keep-state > 01600 80945 61013964 allow tcp from any to 10.1.1.28 dst-port 443 > setup keep-state > 01700 0 0 allow tcp from 10.1.1.2 to 10.1.1.28 dst-port 22 > setup keep-state > 01800 149642 97939477 allow tcp from any to 10.1.1.28 dst-port 25 setup > keep-state > 01900 140 7501 allow tcp from 10.1.0.0/16 to 10.1.1.28 dst-port > 110 setup keep-state > 02000 1677982 89212845 allow tcp from any to 10.1.1.28 dst-port 110 > setup keep-state > 02100 8996 432096 deny tcp from any to any setup > 02200 244111 24117256 allow udp from any to 10.1.1.28 dst-port 53 > keep-state > 02300 0 0 allow udp from any to 10.1.1.12 dst-port 53 > keep-state > 65535 4610 1422974 deny ip from any to any > > I use FreeBSD 8.2 : > FreeBSD 8.2-RELEASE (GENERIC) #0: Fri Feb 18 02:24:46 UTC 2011 > > the problem start after I add rule 01150 so you do have a stateful rule for ssh. Putting stateful rules on services is risky because you always open yourself to DOS, ether intentionally or by accident. Every stateful access requires resources from a limited pool. You can look at this pool information with: sysctl net.inet.ip.fw | grep dyn man ipfw describes them in the "SYSCTL VARIABLES" section. I am wondering why you want a stateful rule for this. It's very risky and it looks like you are getting bitten, either by accident or a deliberate effort to DOS you. I suspect the former. -- R. Kevin Oberman, Network Engineer E-mail: kob6558@gmail.com