Date: Thu, 28 Oct 2004 03:40:34 GMT From: Giorgos Keramidas <keramida@freebsd.org> To: freebsd-bugs@FreeBSD.org Subject: Re: kern/73202: IPF causing major tcp problems with 3rd party apps (apache, exim etc) Message-ID: <200410280340.i9S3eYGw062684@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
The following reply was made to PR kern/73202; it has been noted by GNATS. From: Giorgos Keramidas <keramida@freebsd.org> To: David Haworth <dave@fyonn.net> Cc: bug-followup@freebsd.org Subject: Re: kern/73202: IPF causing major tcp problems with 3rd party apps (apache, exim etc) Date: Thu, 28 Oct 2004 06:34:57 +0300 On 2004-10-27 22:20, David Haworth <dave@fyonn.net> wrote: > You're quite right, I should have pointed out that the firewall ruleset was > completely unchanged from the 5.1 config. I don't really want to post my > firewall config to a public forum so I'll enclose a suitably edited version. > > this config worked fine with 5.1 and caused no problems. I think you have problems because of the unmatched `in' rules for some services that you make visible from outside. I call these rules `unmatched' because there is no matching `out' rule to let the replies get out too: > block in log on vr0 > block in log quick all with ipopts > block in quick all with frag > block in quick all with short > block in quick on vr0 proto tcp from any to any port = 135 > [...] > pass in quick on vr0 proto tcp from any to $local_ip1 port = smtp > pass in quick on vr0 proto tcp from any to $local_ip1 port = http > pass in quick on vr0 proto tcp from any to $local_ip2 port = http > [...] This means that incoming packets for these ports are unconditionally allowed to pass through. Nothing is said about outgoing packets, so the default policy is assumed. You haven't set the default `out' policy for interface vr0 in your ruleset so this can be either `pass' (the default) or `block' (if you have compiled your kernel with IPFILTER_DEFAULT_BLOCK). A few rules further down you have: > pass in quick on vr0 proto tcp from any to any port = 22 flags S keep state > pass out quick on vr0 proto tcp/udp from any to any keep state keep frags Your problems are very probably caused by this mixing of stateless and stateful rules. Combined with the fact that you don't cover *all* possible cases of packets, this can be tricky. Try converting the stateless rules to stateful, i.e. replace this: > pass in quick on vr0 proto tcp from any to $local_ip1 port = smtp > pass in quick on vr0 proto tcp from any to $local_ip1 port = http > pass in quick on vr0 proto tcp from any to $local_ip2 port = http with something like this: > pass in quick on vr0 proto tcp from any to $local_ip1 port = smtp keep state > pass in quick on vr0 proto tcp from any to $local_ip1 port = http keep state > pass in quick on vr0 proto tcp from any to $local_ip2 port = http keep state Let us know if that fixes the problems you're seeing. Regards, Giorgos.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200410280340.i9S3eYGw062684>