Date: Fri, 4 Oct 2002 17:35:54 +0200 From: Aragon Gouveia <aragon@phat.za.net> To: freebsd-security@freebsd.org Subject: ipfw stateful help - strange behaviour Message-ID: <20021004153554.GD5787@phat.za.net>
next in thread | raw e-mail | index | archive | help
Hi, I'm having a problem with ipfw's stateful operation which I can't quite figure out. Let me start with my ruleset. 00100 check-state 00500 allow tcp from any to 66.8.x.y 80 keep-state setup 01000 deny tcp from any to 66.8.x.y 80 65535 allow ip from any to any Ok this ruleset works great from all my machines. But I'm noticing a lot of traffic is hitting rule 1000. When enabling logging on rule 1000, I see around 10 hits a minute. I know it could be arbly generated packets directed at 66.8.x.y on port 80, but with this frequency it doesn't look right. So I changed my ruleset slightly to this : 00100 check-state 00500 allow tcp from any to 66.8.x.y 80 keep-state setup 01000 fwd 66.8.b.c,34501 tcp from any to 66.8.x.y 80 65535 allow ip from any to any This allowed me to analyse what was hitting rule 1000 by running tcpdump on 66.8.b.c. Here's the output : 17:06:45.824689 0:10:b5:42:7d:69 0:20:ed:34:c9:6c 0800 60: 213.155.147.226.61175 > 66.8.x.y.80: R 1312082120:1312082120(0) win 0 (DF) 17:06:45.824722 0:10:b5:42:7d:69 0:20:ed:34:c9:6c 0800 60: 213.155.147.226.61175 > 66.8.x.y.80: R 1312082120:1312082120(0) win 0 17:07:42.377830 0:10:b5:42:7d:69 0:20:ed:34:c9:6c 0800 60: 212.125.65.237.23973 > 66.8.x.y.80: . ack 1478932865 win 7300 (DF) 17:07:42.393216 0:10:b5:42:7d:69 0:20:ed:34:c9:6c 0800 60: 212.125.65.237.23853 > 66.8.x.y.80: . ack 1478195413 win 7300 (DF) 17:07:42.393275 0:10:b5:42:7d:69 0:20:ed:34:c9:6c 0800 60: 212.125.65.237.23971 > 66.8.x.y.80: . ack 1478797841 win 7300 (DF) 17:07:42.393343 0:10:b5:42:7d:69 0:20:ed:34:c9:6c 0800 60: 212.125.65.237.24168 > 66.8.x.y.80: . ack 1479411419 win 7300 (DF) 17:07:42.423224 0:10:b5:42:7d:69 0:20:ed:34:c9:6c 0800 60: 212.125.65.237.24170 > 66.8.x.y.80: . ack 1479562687 win 7300 (DF) 17:07:45.421580 0:10:b5:42:7d:69 0:20:ed:34:c9:6c 0800 60: 212.125.65.237.24170 > 66.8.x.y.80: . ack 1 win 7300 (DF) 17:07:45.422375 0:10:b5:42:7d:69 0:20:ed:34:c9:6c 0800 60: 212.125.65.237.23853 > 66.8.x.y.80: . ack 1 win 7300 (DF) 17:07:45.424352 0:10:b5:42:7d:69 0:20:ed:34:c9:6c 0800 60: 212.125.65.237.23971 > 66.8.x.y.80: . ack 1 win 7300 (DF) 17:07:45.511551 0:10:b5:42:7d:69 0:20:ed:34:c9:6c 0800 60: 212.125.65.237.23973 > 66.8.x.y.80: . ack 1 win 7300 (DF) 17:07:45.511607 0:10:b5:42:7d:69 0:20:ed:34:c9:6c 0800 60: 212.125.65.237.24168 > 66.8.x.y.80: . ack 1 win 7300 (DF) Okay, what gives - no SYN packets. So I checked the state table a few seconds after these packets were forwarded to 66.8.b.c and : 00500 227 135562 (T 252, slot 78) <-> tcp, 213.155.147.226 61162<->66.8.x.y 80 00500 101 33708 (T 254, slot 92) <-> tcp, 213.155.147.226 61176<->66.8.x.y 80 00500 3 132 (T 299, slot 149) <-> tcp, 212.125.65.237 24638<-> 66.8.x.y 80 00500 3 132 (T 299, slot 150) <-> tcp, 212.125.65.237 24637<-> 66.8.x.y 80 So it looks like the connections are matching the 'setup' flag and entering the state table, but they're not being matched by 'check-state' on further communication. Any ideas? I'm using IPFW1 on 4.7-RC. Thanks, Aragon To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20021004153554.GD5787>