From owner-freebsd-questions Fri Oct 4 9:57:22 2002 Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 38E2337B401 for ; Fri, 4 Oct 2002 09:57:20 -0700 (PDT) Received: from host185.dolanmedia.com (host185.dolanmedia.com [209.98.197.185]) by mx1.FreeBSD.org (Postfix) with SMTP id 09BC743E6A for ; Fri, 4 Oct 2002 09:57:19 -0700 (PDT) (envelope-from greg.panula@dolaninformation.com) Received: (qmail 75600 invoked by uid 0); 4 Oct 2002 16:57:18 -0000 Received: from greg.panula@dolaninformation.com by proxy with qmail-scanner-0.96 (. Clean. Processed in 0.436608 secs); 04 Oct 2002 16:57:18 -0000 X-Qmail-Scanner-Mail-From: greg.panula@dolaninformation.com via proxy X-Qmail-Scanner-Rcpt-To: aragon@phat.za.net,freebsd-questions@freebsd.org X-Qmail-Scanner: 0.96 (No viruses found. Processed in 0.436608 secs) Received: from unknown (HELO mail.dolanmedia.com) (10.1.1.23) by host185.dolanmedia.com with SMTP; 4 Oct 2002 16:57:17 -0000 Received: from dolaninformation.com (10.1.1.135) by mail.dolanmedia.com (Worldmail 1.3.167); 4 Oct 2002 11:57:17 -0500 Message-ID: <3D9DC86D.8F2D12ED@dolaninformation.com> Date: Fri, 04 Oct 2002 11:57:17 -0500 From: Greg Panula Reply-To: greg.panula@dolaninformation.com Organization: Dolan Information Center Inc X-Mailer: Mozilla 4.76 [en] (X11; U; Linux 2.2.12 i386) X-Accept-Language: en MIME-Version: 1.0 To: Aragon Gouveia Cc: freebsd-questions@freebsd.org Subject: Re: ipfw stateful help - strange behaviour References: <20021004153554.GD5787@phat.za.net> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG This post is more for -questions, since -security is now just a discussion forum. Try this ruleset: 00100 check-state 00500 allow tcp from any to 66.8.x.y 80 keep-state 01000 deny tcp from any to 66.8.x.y 80 65535 allow ip from any to any With the above ruleset, rule 500 will create an entry in the state table for both the intital set-up and then the actual connection. The previous 500 rule(allow tcp from any to 66.8.x.y 80 keep-state setup) was only entering a rule into the state table for setup part of the connection. Cheers, Greg Aragon Gouveia wrote: > > Hi, > > I'm having a problem with ipfw's stateful operation which I can't quite > figure out. Let me start with my ruleset. > > 00100 check-state > 00500 allow tcp from any to 66.8.x.y 80 keep-state setup > 01000 deny tcp from any to 66.8.x.y 80 > 65535 allow ip from any to any > > Ok this ruleset works great from all my machines. But I'm noticing a lot of > traffic is hitting rule 1000. When enabling logging on rule 1000, I see > around 10 hits a minute. I know it could be arbly generated packets directed > at 66.8.x.y on port 80, but with this frequency it doesn't look right. > > So I changed my ruleset slightly to this : > > 00100 check-state > 00500 allow tcp from any to 66.8.x.y 80 keep-state setup > 01000 fwd 66.8.b.c,34501 tcp from any to 66.8.x.y 80 > 65535 allow ip from any to any > > This allowed me to analyse what was hitting rule 1000 by running tcpdump on > 66.8.b.c. Here's the output : > > 17:06:45.824689 0:10:b5:42:7d:69 0:20:ed:34:c9:6c 0800 60: 213.155.147.226.61175 > 66.8.x.y.80: R 1312082120:1312082120(0) win 0 (DF) > 17:06:45.824722 0:10:b5:42:7d:69 0:20:ed:34:c9:6c 0800 60: 213.155.147.226.61175 > 66.8.x.y.80: R 1312082120:1312082120(0) win 0 > 17:07:42.377830 0:10:b5:42:7d:69 0:20:ed:34:c9:6c 0800 60: 212.125.65.237.23973 > 66.8.x.y.80: . ack 1478932865 win 7300 (DF) > 17:07:42.393216 0:10:b5:42:7d:69 0:20:ed:34:c9:6c 0800 60: 212.125.65.237.23853 > 66.8.x.y.80: . ack 1478195413 win 7300 (DF) > 17:07:42.393275 0:10:b5:42:7d:69 0:20:ed:34:c9:6c 0800 60: 212.125.65.237.23971 > 66.8.x.y.80: . ack 1478797841 win 7300 (DF) > 17:07:42.393343 0:10:b5:42:7d:69 0:20:ed:34:c9:6c 0800 60: 212.125.65.237.24168 > 66.8.x.y.80: . ack 1479411419 win 7300 (DF) > 17:07:42.423224 0:10:b5:42:7d:69 0:20:ed:34:c9:6c 0800 60: 212.125.65.237.24170 > 66.8.x.y.80: . ack 1479562687 win 7300 (DF) > 17:07:45.421580 0:10:b5:42:7d:69 0:20:ed:34:c9:6c 0800 60: 212.125.65.237.24170 > 66.8.x.y.80: . ack 1 win 7300 (DF) > 17:07:45.422375 0:10:b5:42:7d:69 0:20:ed:34:c9:6c 0800 60: 212.125.65.237.23853 > 66.8.x.y.80: . ack 1 win 7300 (DF) > 17:07:45.424352 0:10:b5:42:7d:69 0:20:ed:34:c9:6c 0800 60: 212.125.65.237.23971 > 66.8.x.y.80: . ack 1 win 7300 (DF) > 17:07:45.511551 0:10:b5:42:7d:69 0:20:ed:34:c9:6c 0800 60: 212.125.65.237.23973 > 66.8.x.y.80: . ack 1 win 7300 (DF) > 17:07:45.511607 0:10:b5:42:7d:69 0:20:ed:34:c9:6c 0800 60: 212.125.65.237.24168 > 66.8.x.y.80: . ack 1 win 7300 (DF) > > Okay, what gives - no SYN packets. So I checked the state table a few > seconds after these packets were forwarded to 66.8.b.c and : > > 00500 227 135562 (T 252, slot 78) <-> tcp, 213.155.147.226 61162<->66.8.x.y 80 > 00500 101 33708 (T 254, slot 92) <-> tcp, 213.155.147.226 61176<->66.8.x.y 80 > 00500 3 132 (T 299, slot 149) <-> tcp, 212.125.65.237 24638<-> 66.8.x.y 80 > 00500 3 132 (T 299, slot 150) <-> tcp, 212.125.65.237 24637<-> 66.8.x.y 80 > > So it looks like the connections are matching the 'setup' flag and entering > the state table, but they're not being matched by 'check-state' on further > communication. Any ideas? > > I'm using IPFW1 on 4.7-RC. > > Thanks, > Aragon > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message