Date: Thu, 12 Sep 2002 17:13:10 +0000 From: Pierre-Olivier Fur <pof@teamlog.com> To: dfolkins <dfolkins@comcast.net> Cc: freebsd-security@FreeBSD.ORG Subject: Re: ipfw, natd, and keep-state - strange behavior? Message-ID: <3D80CB26.5080304@teamlog.com> References: <20020911105418.F32908-100000@doos.cluecentral.net> <00ac01c25a6c$1b34fb20$0a00a8c0@groovy3xp>
next in thread | previous in thread | raw e-mail | index | archive | help
To me you should try ipf/ipnat, it's much more easier, efficiency and
much more stateful ;) In a few words it's the best. Once you try it and
never you leave it...
Good luck with ipfw ;)
dfolkins wrote:
> hi,
> pretty sure that this is appropriate for -security, but if it is not, i
> apologize in advance.
>
> i have a fbsd 4.6 router box sitting between a local net (192.168.0) and a
> single actual ip from a cable modem. naturally, ive set up nat and ipfw on
> it, but instead of going the old way with the semi-stateful rules i decided
> to go with keep-state/check-state. but problems arise with outgoing ssh
> connections. here is the relevant portion of my ipfw rules:
>
> #set up NAT
> ${fwcmd} add 00050 divert natd all from any to any via ${oif}
>
> # Allow the packet through if it has previous been added to the
> # the "dynamic" rules table by an allow keep-state statement.
> $fwcmd add 00200 check-state
>
> # Run all private LAN $iif packet traffic through the dynamic rules
> # table so the IP addresses are in sync with Natd.
> $fwcmd add 00220 allow all from any to any via $iif keep-state
>
> # Deny all fragments as bogus packets
> $fwcmd add 00240 deny log all from any to any frag in via $oif
>
> # Deny ACK packets that did not match the dynamic rule table
> $fwcmd add 00260 deny log tcp from any to any established in via $oif
>
> # Allow out ssh connections
> $fwcmd add 00640 allow tcp from any to any 22 out via $oif setup keep-state
>
> seems like this should work. initiating an ssh connection with an external
> host, and checking the dynamic rules (ipfw -ad list), the following two
> rules are generated:
>
> 00220 84 12080 (T 599, slot 109) <-> tcp, 192.168.0.10 3106<-> {external
> host ip} 22
> 00640 26 2130 (T 19, slot 166) <-> tcp, {my external ip} 3106<-> {external
> host ip} 22
>
> the rule for my external ip, though, only gets the lifetime value from the
> syn_lifetime sysctl var, which is 20 seconds, and only the first rule
> apparently gets the acks through it and gets a 600sec lifetime that is set
> in ack_lifetime. any other packets sent through teh connections reset the
> lifetime of the above two rules to 600 and 20 again. this would not trouble
> me otherwise, but as soon as the second rule (20 sec) expires, the ssh
> connection dies.
>
> when i remove the word "setup" from rule 640, though, ssh connection does
> not die. the same two dynamic rules are created, with the same lifetimes,
> but when the short-lived rule expires the connection is still there, upon
> sending any data through it the short-lived rule does not get recreated. i
> am kinda stumped here.
>
> any ideas? whats wrong with my rules? any help would be appreciated.
>
> --
> df
>
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message
>
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3D80CB26.5080304>