Date: Wed, 13 Sep 2000 17:01:23 +0400 (MSD) From: "Andrey V. Sokolov" <abc@nns.ru> To: Darren Reed <avalon@coombs.anu.edu.au> Cc: freebsd-security@FreeBSD.ORG Subject: Re: ipf & keep state Message-ID: <Pine.BSF.4.21.0009131640360.376-100000@localhost> In-Reply-To: <200009131015.VAA15136@cairo.anu.edu.au>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, 13 Sep 2000, Darren Reed wrote: >In some mail from Andrey V. Sokolov, sie said: >> >> Hello! >> We have router running under FreeBSD 4.1-RELEASE, with two ethernet >> cards (ep0 and xl0). We have the WWW-server connected to the router >> via xl0. The router connected to ISP via ep0. To let everyone visit >> our WWW we have following ipf rules for ep0: >> ... >> block in log quick on ep0 all head 10 >> pass in quick on ep0 proto tcp from any port > 1023 to A.B.C.D/32 port >> = 80 flags S keep state group 10 >> ... >> >> But some type of packets are dropped by ipfilter within legal session! >> >> router# ipmon >> ... >> 13/09/2000 12:34:54.393687 ep0 @0:3 b 137.187.208.52,2854 -> >> A.B.C.D,80 PR tcp len 20 10240 -AF IN >> 13/09/2000 12:34:54.393687 ep0 @0:3 b 195.87.8.124,1757 -> >> A.B.C.D,80 PR tcp len 20 10240 -A IN >> 13/09/2000 12:34:54.393687 ep0 @0:3 b 147.17.25.152,1854 -> >> A.B.C.D,80 PR tcp len 20 10240 -AFP IN >> 13/09/2000 12:34:54.393687 ep0 @0:3 b 195.170.138.112,1456 -> >> A.B.C.D,80 PR tcp len 20 10240 -R IN >> 13/09/2000 12:34:54.393687 ep0 @0:3 b 212.187.28.252,3859 -> >> A.B.C.D,80 PR tcp len 20 10240 -AF IN >> ... >> >> Can anybody tell me how to fix it? >> >> IMHO, ipfilter treats the session as finished after passing first >> FIN+ACK packet in the session, and forgets to pass corresponding ACK >> and FIN+ACK packets for correct finish of the session. > >More than likely it has received an RST from the web server too. >You can try adjusting the timeouts using sysctl. > >Darren > Thanks for your answer! You are right, ipfilter is receiving lots of RST from my www server. We increased the marked parameter from 1 to 10. The number of RST packets from the www dropped by ipfilter became smaller, but number of dropped FIN+ACK packets from any to the www is still great. May be we can try to change some other parameters? net.inet.ipf.fr_flags: 0 net.inet.ipf.fr_pass: 514 net.inet.ipf.fr_active: 0 net.inet.ipf.fr_tcpidletimeout: 864000 net.inet.ipf.fr_tcpclosewait: 480 net.inet.ipf.fr_tcplastack: 480 net.inet.ipf.fr_tcptimeout: 480 net.inet.ipf.fr_tcpclosed: 10 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ net.inet.ipf.fr_udptimeout: 240 net.inet.ipf.fr_icmptimeout: 120 net.inet.ipf.fr_defnatage: 1200 net.inet.ipf.fr_ipfrttl: 120 net.inet.ipf.ipl_unreach: 13 net.inet.ipf.fr_running: 1 net.inet.ipf.fr_authsize: 32 net.inet.ipf.fr_authused: 0 net.inet.ipf.fr_defaultauthage: 600 -- Andrey. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.21.0009131640360.376-100000>