From owner-freebsd-ipfw Thu Feb 14 8:43: 5 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from laptop.tenebras.com (laptop.tenebras.com [66.92.188.18]) by hub.freebsd.org (Postfix) with SMTP id A27DA37B402 for ; Thu, 14 Feb 2002 08:42:53 -0800 (PST) Received: (qmail 27170 invoked from network); 14 Feb 2002 16:42:53 -0000 Received: from sapphire.tenebras.com (HELO tenebras.com) (66.92.188.241) by 0 with SMTP; 14 Feb 2002 16:42:53 -0000 Message-ID: <3C6BE90D.3020108@tenebras.com> Date: Thu, 14 Feb 2002 08:42:53 -0800 From: Michael Sierchio User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:0.9.7) Gecko/20020131 X-Accept-Language: en-us MIME-Version: 1.0 To: freebsd-ipfw@freebsd.org, freebsd-net@freebsd.org Subject: Bug in stateful code? Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG I've sent this to Luigi and a couple of other folks without reply, so here it is. I'm seeing what I believe to be a bug in the stateful filter code for ipfw/ip_fw. Here's my original message: ============================================================================= Running ipfw w/natd, connections through the gateway are dying. Two dynamic rules get instantiated for each connection through the gateway -- one with NAT'd addresses and one revealing the private addresses $on = external net = X.Y.Z/24 $in = internal net = A.B.C/24 (192.168.1.0/24) the external IP is X.Y.Z.23 the internal IP is A.B.C.1 firewall rules: [some static rules...] $fw add divert natd ip from any to any via $external_interface $fw add check-state $fw add allow tcp from $in to any setup keep-state $fw add allow udp from $in to any keep-state $fw add allow tcp from $on to any setup keep-state $fw add allow udp from $on to any keep-state An ssh connection from A.B.C.4 to X.Y.Z.44 causes the following dynamic rules to appear: 02400 15 3197 (T 16, slot 760) <-> tcp, X.Y.Z.23 1549<-> X.Y.Z.44 22 02200 45 9151 (T 296, slot 913) <-> tcp, A.B.C.4 1549<-> X.Y.Z.44 22 Note 02400 -- this connection timer seems to indicate that it is waiting for a completed 3-way handshake and hasn't seen the other SYN. The connection dies because the time counts down. The timer for 02200 doesn't count down because the keep-alives are resetting it. Any insight as to why this is happening? Seems like a bug in the state machine. I could be convinced otherwise, but it seems that these two rules should see the connection as being in the same state -- they both see the same packets. BTW, I could simplify this by safely allowing $fw add divert natd ip from any to any via $external_interface $fw add check-state $fw add allow ip from $in to any $fw add allow ip from any to $in $fw add allow tcp from $on to any setup keep-state $fw add allow udp from $on to any keep-state But the dynamic rule on the public side still seem to be using net.inet.ip.fw.dyn_syn_lifetime instead of net.inet.ip.fw.dyn_ack_lifetime. Comments? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message