Skip site navigation (1)Skip section navigation (2)
Date:      Sat, 24 Mar 2012 20:30:34 +0700
From:      "nyoman.bogi@gmail.com" <nyoman.bogi@gmail.com>
To:        Kevin Oberman <kob6558@gmail.com>
Cc:        freebsd-net@freebsd.org
Subject:   Re: firewall stuck
Message-ID:  <CAJsxnXbVgA1PR34wHVD9cHTsZZKZUahftRhEv47%2BJwMkEiMGOQ@mail.gmail.com>
In-Reply-To: <CAN6yY1tQjS_g5C12JSvYWSV75_aSMDbmXsiEX4wnrqthCDvWgg@mail.gmail.com>
References:  <CAJsxnXY7aHNf7dvG%2BQLVqziWQe8HLHbFbttN-vNsai-MbOVCMA@mail.gmail.com> <CAN6yY1v1O9QiN3bAZ3jPJvzX=xsLAauSXJJjwhrZPYSnBfK_uw@mail.gmail.com> <CAJsxnXaXG_9UV-MTeij=PSY4e0abKbmqW6QMWMph9UUTTCNMRg@mail.gmail.com> <CAN6yY1tQjS_g5C12JSvYWSV75_aSMDbmXsiEX4wnrqthCDvWgg@mail.gmail.com>

next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, Mar 15, 2012 at 11:47 AM, Kevin Oberman <kob6558@gmail.com> wrote:

> Please don't top post. It makes following the thread very difficult.
> (Yes, I know too many MUAs make this difficult.)
>
>  > On Wed, Mar 14, 2012 at 1:12 PM, Kevin Oberman <kob6558@gmail.com>
> wrote:
> >>
> >> On Tue, Mar 13, 2012 at 7:27 PM, nyoman.bogi@gmail.com
> >> <nyoman.bogi@gmail.com> wrote:
> >> > dear guru,
> >> >
> >> > every time I open my firewall to allow SSH connection from Internet
> >> > after few days my firewall always stuck. Stuck in here meaning
> >> > that it deny all request (deny any from any).
> >> > And after I "ipfw disable firewall" and then "ipfw enable firewall"
> >> > everything works fine
> >> >
> >> > when I checked /var/log/messages I found lots of attempts
> >> > people try to connect to my machine.
> >> > why my machine get stuck when lots of people try to SSH to my machine?
> >>
> >> We need a bit more information, especially your ipfw configuration. Is
> >> it a statefull firewall? It sounds a lot like your state table might
> >> be filling for some reason. Of course, if it is not a statefull
> >> firewall, that idea is probably wrong, though it could be a
> >> misconfiguration of some statefull rule that is inadvertently catching
> >> the SSH attempts.
> >>
> >> Have you done an 'ipfw show' to see what rules are being matched? it
> >> may or may not provide a clue.
> >> --
> >> R. Kevin Oberman, Network Engineer
> >> E-mail: kob6558@gmail.com
> On Wed, Mar 14, 2012 at 6:04 PM, nyoman.bogi@gmail.com
> <nyoman.bogi@gmail.com> wrote:
> > thanks Kevin,
> > this is my "ipfw show" :
> >
> > 00100  4352617  2413620288 allow ip from any to any via lo0
> > 00200        0           0 deny ip from any to 127.0.0.0/8
> > 00300        0           0 deny ip from 127.0.0.0/8 to any
> > 00400        0           0 deny ip from any to ::1
> > 00500        0           0 deny ip from ::1 to any
> > 00600    54387     5454184 allow icmp from any to any
> > 00700  3142231  1681082246 allow ip from 10.1.1.28 to 10.1.1.0/26
> > 00800  4659459  4478397111 allow ip from 10.1.1.0/26 to 10.1.1.28
> > 00900        0           0 check-state
> > 01000   137997    89083135 allow tcp from 10.1.1.28 to any setup
> keep-state
> > 01100        0           0 allow tcp from 10.16.10.84 to any setup
> > keep-state
> > 01150   401205   276677828 allow tcp from any to 10.1.1.28 dst-port 22
> setup
> > keep-state
> > 01200   245718    44249729 allow udp from 10.1.1.28 to any keep-state
> > 01300  5876930   239194755 allow tcp from any to any established
> > 01400        0           0 allow tcp from any to 10.1.1.28 dst-port 389
> > setup keep-state
> > 01500 26341187 22030370786 allow tcp from any to 10.1.1.28 dst-port 80
> setup
> > keep-state
> > 01600    80945    61013964 allow tcp from any to 10.1.1.28 dst-port 443
> > setup keep-state
> > 01700        0           0 allow tcp from 10.1.1.2 to 10.1.1.28 dst-port
> 22
> > setup keep-state
> > 01800   149642    97939477 allow tcp from any to 10.1.1.28 dst-port 25
> setup
> > keep-state
> > 01900      140        7501 allow tcp from 10.1.0.0/16 to 10.1.1.28
> dst-port
> > 110 setup keep-state
> > 02000  1677982    89212845 allow tcp from any to 10.1.1.28 dst-port 110
> > setup keep-state
> > 02100     8996      432096 deny tcp from any to any setup
> > 02200   244111    24117256 allow udp from any to 10.1.1.28 dst-port 53
> > keep-state
> > 02300        0           0 allow udp from any to 10.1.1.12 dst-port 53
> > keep-state
> > 65535     4610     1422974 deny ip from any to any
> >
> > I use FreeBSD 8.2 :
> > FreeBSD 8.2-RELEASE (GENERIC) #0: Fri Feb 18 02:24:46 UTC 2011
> >
> > the problem start after I add rule 01150
>
> so you do have a stateful rule for ssh. Putting stateful rules on
> services is risky because you always open yourself to DOS, ether
> intentionally or by accident. Every stateful access requires resources
> from a limited pool. You can look at this pool information with:
> sysctl net.inet.ip.fw | grep dyn
> man ipfw describes them in the "SYSCTL VARIABLES" section.
>
> I am wondering why you want a stateful rule for this. It's very risky
> and it looks like you are getting bitten, either by accident or a
> deliberate effort to DOS you. I suspect the former.
> --
> R. Kevin Oberman, Network Engineer
> E-mail: kob6558@gmail.com
>


thanks a lot Kevin, your hint is really helpful.
I have change the SSH connection into non stateful.

do you think I should change the HTTP connection into non stateful also?


-- 
-------------------------------
Bogi Aditya
Sisfo - IMTelkom
http://bogi.blog.imtelkom.ac.id



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAJsxnXbVgA1PR34wHVD9cHTsZZKZUahftRhEv47%2BJwMkEiMGOQ>