Skip site navigation (1)Skip section navigation (2) 
Date:      Sun, 10 Feb 2002 17:43:34 -0800
From:      Michael Sierchio <kudzu@tenebras.com>
To:        freebsd-net@freebsd.org
Subject:   Possible bug in ip_fw stateful rule stuff
Message-ID:  <3C6721C6.9080904@tenebras.com>
next in thread | raw e-mail | index | archive | help 
Running ipfw w/natd,  connections through the gateway are dying.  Two dynamic
rules get instantiated for each connection through the gateway -- one
with NAT'd addresses and one revealing the private addresses

$on = external net = X.Y.Z/24
$in = internal net = A.B.C/24  (192.168.1.0/24)

the external IP is X.Y.Z.23
the internal IP is A.B.C.1

firewall rules:

[some static rules...]

$fw add divert natd ip from any to any via $external_interface

$fw add check-state

$fw add allow tcp from $in to any setup keep-state
$fw add allow udp from $in to any keep-state

$fw add allow tcp from $on to any setup keep-state
$fw add allow udp from $on to any keep-state


An ssh connection from A.B.C.4 to X.Y.Z.44 causes the following dynamic rules
to appear:


02400 15 3197 (T 16, slot 760) <-> tcp, X.Y.Z.23 1549<-> X.Y.Z.44 22
02200 45 9151 (T 296, slot 913) <-> tcp, A.B.C.4 1549<-> X.Y.Z.44 22

Note 02400 -- this connection timer seems to indicate that it is waiting for
a completed 3-way handshake and hasn't seen the other SYN.  The connection dies
because the time counts down.  The timer for 02200 doesn't count down because
the keep-alives are resetting it.

Any insight as to why this is happening?  Seems like a bug in the state machine.
I could be convinced otherwise, but it seems that these two rules should
see the connection as being in the same state -- they both see the same
packets.  BTW, I could simplify this by safely allowing


$fw add divert natd ip from any to any via $external_interface

$fw add check-state

$fw add allow ip from $in to any
$fw add allow ip from any to $in

$fw add allow tcp from $on to any setup keep-state
$fw add allow udp from $on to any keep-state

But the dynamic rule on the public side still seem to be using
net.inet.ip.fw.dyn_syn_lifetime instead of net.inet.ip.fw.dyn_ack_lifetime.

Comments?


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-net" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3C6721C6.9080904>