From owner-freebsd-security  Wed Sep 13  2:17:50 2000
Delivered-To: freebsd-security@freebsd.org
Received: from gera.nns.ru (gera.nns.ru [195.230.79.10])
	by hub.freebsd.org (Postfix) with ESMTP id 8440A37B423
	for <freebsd-security@freebsd.org>; Wed, 13 Sep 2000 02:17:39 -0700 (PDT)
Received: from falcon.nns.ru (falcon.nns.ru [195.230.79.70])
	by gera.nns.ru (8.9.3/8.9.3) with ESMTP id NAA72059
	for <freebsd-security@freebsd.org>; Wed, 13 Sep 2000 13:17:29 +0400 (MSD)
	(envelope-from abc@nns.ru)
Received: from localhost (localhost [127.0.0.1])
	by falcon.nns.ru (8.9.3/8.9.3) with ESMTP id NAA00483
	for <freebsd-security@freebsd.org>; Wed, 13 Sep 2000 13:17:29 +0400 (MSD)
	(envelope-from abc@nns.ru)
Date: Wed, 13 Sep 2000 13:17:29 +0400 (MSD)
From: "Andrey V. Sokolov" <abc@nns.ru>
X-Sender: abc@localhost
To: freebsd-security@freebsd.org
Subject: ipf & keep state
Message-ID: <Pine.BSF.4.21.0009131235520.376-100000@localhost>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

Hello!
We have router running under FreeBSD 4.1-RELEASE, with two ethernet
cards (ep0 and xl0). We have the WWW-server connected to the router
via xl0. The router connected to ISP via ep0. To let everyone visit
our WWW we have following ipf rules for ep0:
...
block in log quick on ep0 all head 10
pass in quick on ep0 proto tcp from any port > 1023 to A.B.C.D/32 port
= 80 flags S keep state group 10
...

But some type of packets are dropped by ipfilter within legal session!

router# ipmon
...
13/09/2000 12:34:54.393687 ep0 @0:3 b 137.187.208.52,2854 ->
A.B.C.D,80 PR tcp len 20 10240 -AF IN
13/09/2000 12:34:54.393687 ep0 @0:3 b 195.87.8.124,1757 ->
A.B.C.D,80 PR tcp len 20 10240 -A IN
13/09/2000 12:34:54.393687 ep0 @0:3 b 147.17.25.152,1854 ->
A.B.C.D,80 PR tcp len 20 10240 -AFP IN
13/09/2000 12:34:54.393687 ep0 @0:3 b 195.170.138.112,1456 ->
A.B.C.D,80 PR tcp len 20 10240 -R IN
13/09/2000 12:34:54.393687 ep0 @0:3 b 212.187.28.252,3859 ->
A.B.C.D,80 PR tcp len 20 10240 -AF IN
...

Can anybody tell me how to fix it?

IMHO, ipfilter treats the session as finished after passing first
FIN+ACK packet in the session, and forgets to pass corresponding ACK
and FIN+ACK packets for correct finish of the session.

Thanks.
Andrey.



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message