From owner-freebsd-ipfw@FreeBSD.ORG Wed Jun 14 10:39:45 2006 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7FAEA16A41B; Wed, 14 Jun 2006 10:39:45 +0000 (UTC) (envelope-from sebastien.valsemey@vsystems.eu) Received: from pallena.vsystems.eu (pallena.vsystems.eu [195.5.252.5]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2C58143D4C; Wed, 14 Jun 2006 10:39:41 +0000 (GMT) (envelope-from sebastien.valsemey@vsystems.eu) DKIM-Signature: a=rsa-sha1; c=simple; d=vsystems.eu; s=VSystems; t=1150281987; x=1150886787; q=dns; h=DomainKey-Signature:From:To: Subject:Date:Message-ID:MIME-Version:Content-Type: Content-Transfer-Encoding:Thread-Index; b=XLHIVxBYW20986z4q8WhWS snmmVdyGd/z5tbJ6VL2erq337jMGz37B4GNGEZ2BGOeQtohtsnx29QZSEaWrfhps PxrN1sx3Sd8mS/kjHqgYE6uTH1cLGlsmsJHowPjSwIPsf+DM+b2xvS3ztpoa4wYa UI2XqUtnSMgyaqUV/THNY= DomainKey-Signature: a=rsa-sha1; s=VSystems; d=vsystems.eu; c=simple; q=dns; h=from:message-id; b=UVMePJhKMiWaTLLzztkr7+hfn21poH13m9sfIUHZo3bA2i4nZwFi6Uny6dcl FJ1J1KFSWkPF8XjnSpjtaSbvnbLKyAGAqPJAo0YJnYctBLDH2/CzbjLq5 OEAiZ/pzk1fIJeUgdDw8XzrY33UZUzy7+gfRv2NnPkf7B0MXS84OsE=; From: =?iso-8859-1?Q?S=E9bastien_A._VALSEMEY?= To: , , Date: Wed, 14 Jun 2006 12:41:38 +0200 Message-ID: <004201c68f9f$1e5e8200$0da7a8c0@FR.B3W> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook 11 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2869 Thread-Index: AcaOGAzmx9EGBtcZSV+mYYnENhe26ABhqsTA X-HashCash: 1:20:060614:freebsd-ipfw@freebsd.org::blWv3aCycu4jNfOI:000000000000000000000000000000000000009D4 X-Return-Path: sebastien.valsemey@vsystems.eu X-Spam-Processed: pallena.vsystems.eu, Wed, 14 Jun 2006 12:46:22 +0200 Cc: Subject: IPF and OOW problems X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 14 Jun 2006 10:39:45 -0000 Hello, I am sorry about the cross-posting but it seems I did not get any answer to my previous post into freebsd-net mailing list. > I currently have a FreeBSD 6.1-STABLE box configured as a router/firewall with ipfilter v4.1.8. > > > WAN_IP/32 > | > tun0 > | > |---------| > | FreeBSD | > |---------| > / \ > xl0 xl1 > / \ > > 192.168.0.0/24 DMZ_BLOCK/29 > > I often experience in my ipf logs such packet drops (the following example is for an active upload > on a FTP server located on the > first IP of the DMZ network). My IPs have been voluntary hidden for privacy purposes. > > ipmon[329]: 13:12:41.185263 tun0 @0:110 b REMOTE_WAN_IP,8600 -> DMZ_IP_1,20 PR tcp len 20 1300 -A > IN OOW > ipmon[329]: 13:12:41.186493 tun0 @0:110 b REMOTE_WAN_IP,8600 -> DMZ_IP_1,20 PR tcp len 20 356 -AP > IN OOW > > Packet drop occurs a few seconds after the beginning of the transfer, even allowing a few kilobytes > to be uploaded, which means that > the connection establishes well. > > And on another hand, when I try to reach DMZ machines from the LAN (for example via RDP), I am > systematically dropped with the same > kind of OOW packet, I mean the connection is not even established. > > As ICMP is allowed on the whole network, I can traceroute and reach each host in the network, from > inside and outside (except for > the natted LAN...). The IP masquerading for hosts located on LAN works perfectly as they can go on > the Internet without any problem. > > When I add the two following lines in my ipf ruleset, everything runs smoothly (but insecured!): > pass in quick all > pass out quick all > > I heard that such problems occur with the same version of ipf on Solaris > (http://msgs.securepoint.com/cgi-bin/get/ipfilter-0605/28.html), but I am not sure it happens > because of that. > > What I did wrong? > > Thank you by advance for your help. > > Here are extracts from my main configuration files: > > [/etc/rc.conf] > <... *snip*! ...> > firewall_enable="NO" > firewall_script="/etc/rc.firewall" > firewall_type="/etc/rc.firewall.rules" > firewall_logging="YES" > gateway_enable="YES" > icmp_drop_redirects="YES" > ifconfig_lo0="inet 127.0.0.1" > ifconfig_xl0="inet 192.168.0.254 netmask 255.255.255.0" > ifconfig_xl1="inet DMZ_IP_6 netmask 255.255.255.248" > ipfilter_enable="YES" > ipfilter_rules="/etc/ipf.rules" > ipnat_enable="YES" > ipnat_program="/sbin/ipnat" > ipnat_rules="/etc/ipnat.rules" > ipnat_flags="" > ipmon_enable="YES" > ipmon_program="/sbin/ipmon" > ipmon_flags="-Ds" > kern_securelevel="0" > kern_securelevel_enable="NO" > network_interfaces="lo0 xl0 xl1" > ppp_enable="YES" > ppp_mode="ddial" > ppp_nat="NO" > ppp_profile="My_ISP_PROFILE" > <... *snip*! ...> > > > > [/etc/ipf.rules] > # Allow localhost traffic > pass in quick on lo0 all > pass out quick on lo0 all > > # Allow all outgoing traffic from this gateway > pass out quick on tun0 from any to any keep state > pass out quick on tun0 proto tcp from any to any keep state > pass out quick on xl0 from any to 192.168.0.0/24 keep state > pass out quick on xl0 proto tcp from any to 192.168.0.0/24 keep state > pass out quick on xl1 from any to DMZ_BLOCK/29 keep state > pass out quick on xl1 proto tcp from any to DMZ_BLOCK/29 keep state > > # Allow ICMP traffic (for testing purposes) > pass in quick on xl0 proto icmp from 192.168.0.0/24 to any keep state > pass in quick on xl1 proto icmp from DMZ_BLOCK/29 to any keep state > pass in quick on tun0 proto icmp from any to 192.168.0.0/24 keep state > pass in quick on tun0 proto icmp from any to DMZ_BLOCK/29 keep state > pass out quick proto icmp from any to any keep state > > # Allow FTP server > pass in quick on tun0 proto tcp from any to DMZ_IP_1/32 port = ftp-data keep state > pass in quick on xl0 proto tcp from 192.168.0.0/24 to DMZ_IP_1/32 port = ftp-data keep state > pass in quick on tun0 proto tcp from any to DMZ_IP_1/32 port = ftp keep state > pass in quick on xl0 proto tcp from 192.168.0.0/24 to DMZ_IP_1/32 port = ftp keep state > # This is for the passive ports range... > pass in quick on tun0 proto tcp from any to DMZ_IP_1/32 port 4000 >< 4049 keep state > pass in quick on xl0 proto tcp from 192.168.0.0/24 to DMZ_IP_1/32 port 4000 >< 4049 keep state > > # Allow Terminal services > pass in quick on tun0 proto tcp from any to DMZ_IP_1/32 port = rdp keep state > pass in quick on xl0 proto tcp from 192.168.0.0/24 to DMZ_IP_1/32 port = rdp keep state > > # Default > block in log all > block return-rst in log proto tcp from any to any > block return-icmp-as-dest(port-unr) in log proto udp from any to any > > > [/etc/ipnat.rules] > map tun0 192.168.0.0/24 -> WAN_IP/32 > map tun0 192.168.0.0/24 -> WAN_IP/32 portmap tcp/udp auto > > > [KERNEL_CONFIG] > device bpf > options IPFIREWALL > options IPFIREWALL_VERBOSE > options IPFIREWALL_DEFAULT_TO_ACCEPT > options IPFILTER > options IPFILTER_LOG > options IPFILTER_DEFAULT_BLOCK > options NETGRAPH > options NETGRAPH_ETHER > options NETGRAPH_PPP > options NETGRAPH_PPPOE > options NETGRAPH_SOCKET