Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 13 Sep 2000 21:15:37 +1100 (Australia/NSW)
From:      Darren Reed <avalon@coombs.anu.edu.au>
To:        abc@nns.ru (Andrey V. Sokolov)
Cc:        freebsd-security@FreeBSD.ORG
Subject:   Re: ipf & keep state
Message-ID:  <200009131015.VAA15136@cairo.anu.edu.au>
In-Reply-To: <Pine.BSF.4.21.0009131235520.376-100000@localhost> from "Andrey V. Sokolov" at Sep 13, 2000 01:17:29 PM
next in thread | previous in thread | raw e-mail | index | archive | help 
In some mail from Andrey V. Sokolov, sie said:
> 
> Hello!
> We have router running under FreeBSD 4.1-RELEASE, with two ethernet
> cards (ep0 and xl0). We have the WWW-server connected to the router
> via xl0. The router connected to ISP via ep0. To let everyone visit
> our WWW we have following ipf rules for ep0:
> ...
> block in log quick on ep0 all head 10
> pass in quick on ep0 proto tcp from any port > 1023 to A.B.C.D/32 port
> = 80 flags S keep state group 10
> ...
> 
> But some type of packets are dropped by ipfilter within legal session!
> 
> router# ipmon
> ...
> 13/09/2000 12:34:54.393687 ep0 @0:3 b 137.187.208.52,2854 ->
> A.B.C.D,80 PR tcp len 20 10240 -AF IN
> 13/09/2000 12:34:54.393687 ep0 @0:3 b 195.87.8.124,1757 ->
> A.B.C.D,80 PR tcp len 20 10240 -A IN
> 13/09/2000 12:34:54.393687 ep0 @0:3 b 147.17.25.152,1854 ->
> A.B.C.D,80 PR tcp len 20 10240 -AFP IN
> 13/09/2000 12:34:54.393687 ep0 @0:3 b 195.170.138.112,1456 ->
> A.B.C.D,80 PR tcp len 20 10240 -R IN
> 13/09/2000 12:34:54.393687 ep0 @0:3 b 212.187.28.252,3859 ->
> A.B.C.D,80 PR tcp len 20 10240 -AF IN
> ...
> 
> Can anybody tell me how to fix it?
> 
> IMHO, ipfilter treats the session as finished after passing first
> FIN+ACK packet in the session, and forgets to pass corresponding ACK
> and FIN+ACK packets for correct finish of the session.

More than likely it has received an RST from the web server too.
You can try adjusting the timeouts using sysctl.

Darren


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200009131015.VAA15136>