From owner-freebsd-security Wed Sep 13 6: 1:59 2000 Delivered-To: freebsd-security@freebsd.org Received: from gera.nns.ru (gera.nns.ru [195.230.79.10]) by hub.freebsd.org (Postfix) with ESMTP id 2217A37B422 for ; Wed, 13 Sep 2000 06:01:32 -0700 (PDT) Received: from falcon.nns.ru (falcon.nns.ru [195.230.79.70]) by gera.nns.ru (8.9.3/8.9.3) with ESMTP id RAA77124; Wed, 13 Sep 2000 17:01:24 +0400 (MSD) (envelope-from abc@nns.ru) Received: from localhost (localhost [127.0.0.1]) by falcon.nns.ru (8.9.3/8.9.3) with ESMTP id RAA02232; Wed, 13 Sep 2000 17:01:23 +0400 (MSD) (envelope-from abc@nns.ru) Date: Wed, 13 Sep 2000 17:01:23 +0400 (MSD) From: "Andrey V. Sokolov" X-Sender: abc@localhost To: Darren Reed Cc: freebsd-security@FreeBSD.ORG Subject: Re: ipf & keep state In-Reply-To: <200009131015.VAA15136@cairo.anu.edu.au> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, 13 Sep 2000, Darren Reed wrote: >In some mail from Andrey V. Sokolov, sie said: >> >> Hello! >> We have router running under FreeBSD 4.1-RELEASE, with two ethernet >> cards (ep0 and xl0). We have the WWW-server connected to the router >> via xl0. The router connected to ISP via ep0. To let everyone visit >> our WWW we have following ipf rules for ep0: >> ... >> block in log quick on ep0 all head 10 >> pass in quick on ep0 proto tcp from any port > 1023 to A.B.C.D/32 port >> = 80 flags S keep state group 10 >> ... >> >> But some type of packets are dropped by ipfilter within legal session! >> >> router# ipmon >> ... >> 13/09/2000 12:34:54.393687 ep0 @0:3 b 137.187.208.52,2854 -> >> A.B.C.D,80 PR tcp len 20 10240 -AF IN >> 13/09/2000 12:34:54.393687 ep0 @0:3 b 195.87.8.124,1757 -> >> A.B.C.D,80 PR tcp len 20 10240 -A IN >> 13/09/2000 12:34:54.393687 ep0 @0:3 b 147.17.25.152,1854 -> >> A.B.C.D,80 PR tcp len 20 10240 -AFP IN >> 13/09/2000 12:34:54.393687 ep0 @0:3 b 195.170.138.112,1456 -> >> A.B.C.D,80 PR tcp len 20 10240 -R IN >> 13/09/2000 12:34:54.393687 ep0 @0:3 b 212.187.28.252,3859 -> >> A.B.C.D,80 PR tcp len 20 10240 -AF IN >> ... >> >> Can anybody tell me how to fix it? >> >> IMHO, ipfilter treats the session as finished after passing first >> FIN+ACK packet in the session, and forgets to pass corresponding ACK >> and FIN+ACK packets for correct finish of the session. > >More than likely it has received an RST from the web server too. >You can try adjusting the timeouts using sysctl. > >Darren > Thanks for your answer! You are right, ipfilter is receiving lots of RST from my www server. We increased the marked parameter from 1 to 10. The number of RST packets from the www dropped by ipfilter became smaller, but number of dropped FIN+ACK packets from any to the www is still great. May be we can try to change some other parameters? net.inet.ipf.fr_flags: 0 net.inet.ipf.fr_pass: 514 net.inet.ipf.fr_active: 0 net.inet.ipf.fr_tcpidletimeout: 864000 net.inet.ipf.fr_tcpclosewait: 480 net.inet.ipf.fr_tcplastack: 480 net.inet.ipf.fr_tcptimeout: 480 net.inet.ipf.fr_tcpclosed: 10 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ net.inet.ipf.fr_udptimeout: 240 net.inet.ipf.fr_icmptimeout: 120 net.inet.ipf.fr_defnatage: 1200 net.inet.ipf.fr_ipfrttl: 120 net.inet.ipf.ipl_unreach: 13 net.inet.ipf.fr_running: 1 net.inet.ipf.fr_authsize: 32 net.inet.ipf.fr_authused: 0 net.inet.ipf.fr_defaultauthage: 600 -- Andrey. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message