From owner-freebsd-security  Wed Sep 13  3:19:29 2000
Delivered-To: freebsd-security@freebsd.org
Received: from cairo.anu.edu.au (cairo.anu.edu.au [150.203.224.11])
	by hub.freebsd.org (Postfix) with ESMTP id 2797337B423
	for <freebsd-security@FreeBSD.ORG>; Wed, 13 Sep 2000 03:19:25 -0700 (PDT)
Received: (from avalon@localhost)
	by cairo.anu.edu.au (8.9.3/8.9.3) id VAA15136;
	Wed, 13 Sep 2000 21:15:37 +1100 (EST)
From: Darren Reed <avalon@coombs.anu.edu.au>
Message-Id: <200009131015.VAA15136@cairo.anu.edu.au>
Subject: Re: ipf & keep state
To: abc@nns.ru (Andrey V. Sokolov)
Date: Wed, 13 Sep 2000 21:15:37 +1100 (Australia/NSW)
Cc: freebsd-security@FreeBSD.ORG
In-Reply-To: <Pine.BSF.4.21.0009131235520.376-100000@localhost> from "Andrey V. Sokolov" at Sep 13, 2000 01:17:29 PM
X-Mailer: ELM [version 2.5 PL1]
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

In some mail from Andrey V. Sokolov, sie said:
> 
> Hello!
> We have router running under FreeBSD 4.1-RELEASE, with two ethernet
> cards (ep0 and xl0). We have the WWW-server connected to the router
> via xl0. The router connected to ISP via ep0. To let everyone visit
> our WWW we have following ipf rules for ep0:
> ...
> block in log quick on ep0 all head 10
> pass in quick on ep0 proto tcp from any port > 1023 to A.B.C.D/32 port
> = 80 flags S keep state group 10
> ...
> 
> But some type of packets are dropped by ipfilter within legal session!
> 
> router# ipmon
> ...
> 13/09/2000 12:34:54.393687 ep0 @0:3 b 137.187.208.52,2854 ->
> A.B.C.D,80 PR tcp len 20 10240 -AF IN
> 13/09/2000 12:34:54.393687 ep0 @0:3 b 195.87.8.124,1757 ->
> A.B.C.D,80 PR tcp len 20 10240 -A IN
> 13/09/2000 12:34:54.393687 ep0 @0:3 b 147.17.25.152,1854 ->
> A.B.C.D,80 PR tcp len 20 10240 -AFP IN
> 13/09/2000 12:34:54.393687 ep0 @0:3 b 195.170.138.112,1456 ->
> A.B.C.D,80 PR tcp len 20 10240 -R IN
> 13/09/2000 12:34:54.393687 ep0 @0:3 b 212.187.28.252,3859 ->
> A.B.C.D,80 PR tcp len 20 10240 -AF IN
> ...
> 
> Can anybody tell me how to fix it?
> 
> IMHO, ipfilter treats the session as finished after passing first
> FIN+ACK packet in the session, and forgets to pass corresponding ACK
> and FIN+ACK packets for correct finish of the session.

More than likely it has received an RST from the web server too.
You can try adjusting the timeouts using sysctl.

Darren


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message