Date: Wed, 13 Sep 2000 13:17:29 +0400 (MSD) From: "Andrey V. Sokolov" <abc@nns.ru> To: freebsd-security@freebsd.org Subject: ipf & keep state Message-ID: <Pine.BSF.4.21.0009131235520.376-100000@localhost>
next in thread | raw e-mail | index | archive | help
Hello! We have router running under FreeBSD 4.1-RELEASE, with two ethernet cards (ep0 and xl0). We have the WWW-server connected to the router via xl0. The router connected to ISP via ep0. To let everyone visit our WWW we have following ipf rules for ep0: ... block in log quick on ep0 all head 10 pass in quick on ep0 proto tcp from any port > 1023 to A.B.C.D/32 port = 80 flags S keep state group 10 ... But some type of packets are dropped by ipfilter within legal session! router# ipmon ... 13/09/2000 12:34:54.393687 ep0 @0:3 b 137.187.208.52,2854 -> A.B.C.D,80 PR tcp len 20 10240 -AF IN 13/09/2000 12:34:54.393687 ep0 @0:3 b 195.87.8.124,1757 -> A.B.C.D,80 PR tcp len 20 10240 -A IN 13/09/2000 12:34:54.393687 ep0 @0:3 b 147.17.25.152,1854 -> A.B.C.D,80 PR tcp len 20 10240 -AFP IN 13/09/2000 12:34:54.393687 ep0 @0:3 b 195.170.138.112,1456 -> A.B.C.D,80 PR tcp len 20 10240 -R IN 13/09/2000 12:34:54.393687 ep0 @0:3 b 212.187.28.252,3859 -> A.B.C.D,80 PR tcp len 20 10240 -AF IN ... Can anybody tell me how to fix it? IMHO, ipfilter treats the session as finished after passing first FIN+ACK packet in the session, and forgets to pass corresponding ACK and FIN+ACK packets for correct finish of the session. Thanks. Andrey. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.21.0009131235520.376-100000>