From owner-freebsd-net@FreeBSD.ORG Fri Apr 20 23:13:09 2012 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 4D608106566B for ; Fri, 20 Apr 2012 23:13:09 +0000 (UTC) (envelope-from kob6558@gmail.com) Received: from mail-wg0-f50.google.com (mail-wg0-f50.google.com [74.125.82.50]) by mx1.freebsd.org (Postfix) with ESMTP id CA9848FC0A for ; Fri, 20 Apr 2012 23:13:08 +0000 (UTC) Received: by wgbds12 with SMTP id ds12so9778744wgb.31 for ; Fri, 20 Apr 2012 16:13:08 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; bh=AMwadx4rU8hAJ4C/IIzd12ysdyGphpLbvjP02evuieU=; b=UY5FdVD4rcBclhSsBt+Yx8Dw1Xf3bnAAh6YYcI8eIuSyAj6vEWQwWN+k/LfnHW3ynS mVLWk/f0eOOq54nv9zIuRly7MjVA2d/sXU2knuWWs7dEOYejq3to7sxnwppUL356NuEe EaySRHjnxRIMn/Ja/ij1ZFXza7ho/moC+sgBv8HZiOZ1vVHNhIJErhrOf+2mqSDxNuUz tfMI2fWJD4aC/UqdMXVnrUMlnxkwE8+eNHEquQOQ8AmcVR2DKh4sY/9wCDymf79X4+y3 7zQFb7iRZBq1sb4CUbm6v5YxmvmZPFUutwAzv9PFatnQ0n2ry/uXdN9yWDSVSMBFRQAt dQcA== MIME-Version: 1.0 Received: by 10.180.77.233 with SMTP id v9mr1548121wiw.22.1334963587956; Fri, 20 Apr 2012 16:13:07 -0700 (PDT) Received: by 10.223.54.207 with HTTP; Fri, 20 Apr 2012 16:13:07 -0700 (PDT) In-Reply-To: References: Date: Fri, 20 Apr 2012 16:13:07 -0700 Message-ID: From: Kevin Oberman To: "Dmitry S. Kasterin" Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Cc: freebsd-net@freebsd.org, Michael Sierchio Subject: Re: Stateful IPFW - too many connections in FIN_WAIT_2 or LAST_ACK states X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 20 Apr 2012 23:13:09 -0000 On Fri, Apr 20, 2012 at 11:55 AM, Dmitry S. Kasterin w= rote: >> Thank you for the "allow tcp from me to any established" rule, >> I'll give it a try later. > > Ok, I've tested this - no oddity/"frozen" connection. =A0As expected. > This is an excerpt from the ruleset (ipfw show): > > 00101 =A04759 =A02588637 allow tcp from any to any established > 00102 =A0 206 =A0 =A012360 allow tcp from me to any setup > > 00777 =A0 =A0 0 =A0 =A0 =A0 =A00 deny log logamount 16 ip from any to any When you use 'established', you are depending on TCP to maintain state, which it does all the time. There were some attacks involving sequence number "guessing" which were once not really randomized, but, at least on FreeBSD and most current systems, these are now generated by a good random number generator and are essentially impossible to guess. I have not heard of any use of this attack for several years and then on systems with broken PRNGs. I think the problem probably was fixed over 5 years ago. >> I didn't change anything. Quite possible dyn_fin_lifetime is too >> small. I'll try to raise it. > > # sysctl net.inet.ip.fw.dyn_fin_lifetime=3D4 > net.inet.ip.fw.dyn_fin_lifetime: 1 -> 4 > # sysctl net.inet.ip.fw.dyn_rst_lifetime=3D4 > net.inet.ip.fw.dyn_rst_lifetime: 1 -> 4 > > The situation is better, but I am still having troubles with "heavy" > sites (images, JS an so on; for example =A0- > http://cnx.org/content/m16336/latest/ ). > And still I can see odd packets from "deny log all from any to any" rule: > > 15:09:58.654613 IP w.x.y.z.11215 > 213.180.193.14.80: Flags [F.], seq > 3948689318, ack 1903284725, ... > 15:09:59.158612 IP w.x.y.z.11215 > 213.180.193.14.80: Flags [F.], seq > 0, ack 1, ... > 15:09:59.222114 IP 213.180.193.14.80 > w.x.y.z.11215: Flags [F.], seq > 1, ack 0, ... > 15:09:59.966611 IP w.x.y.z.11215 > 213.180.193.14.80: Flags [F.], seq > 0, ack 1, ... > > 15:51:43.244361 IP 128.42.169.34.80 > w.x.y.z.13876: Flags [F.], seq > 3534903525, ack 108808080, ... > 15:51:49.418317 IP 128.42.169.34.80 > w.x.y.z.13876: Flags [F.], seq > 0, ack 1, ... > > 15:58:47.664606 IP w.x.y.z.32748 > 195.91.160.36.80: Flags [F.], seq > 3277652538, ack 2683877393, ... > 15:58:49.106924 IP 195.91.160.36.80 > w.x.y.z.32748: Flags [F.], seq > 1, ack 0, ... The thing that jumps out is that all of the blocked packets are of FIN packets. I am not sure why they are being denied as they have FIN+ACK and that should meet the requirements for 'established". Are you seeing a large number of TCP sessions in partially closed states? I don't recall if you mentioned it, but what version of FreeBSD are you running? If you have not dine so, I urge you to read the firewall(7) man page. It discusses firewall design and implementation with IPFW. Also, if you choose to use stateful TCP filtering, it is probably best to do it in the manner shown in the ipfw(8) man page under DYNAMIC RULES. This is very different from the way you did it. --=20 R. Kevin Oberman, Network Engineer E-mail: kob6558@gmail.com