Date: Sat, 2 Dec 2006 21:00:13 +0100 From: Max Laier <max@love2party.net> To: freebsd-ipfw@freebsd.org Cc: James Halstead <jhalstead@fsisys.com> Subject: Re: Mysterious packets with stateful ipfw+nat Message-ID: <200612022100.24704.max@love2party.net> In-Reply-To: <4571BF45.3010608@fsisys.com> References: <45711296.8010709@fsisys.com> <4571BF45.3010608@fsisys.com>
next in thread | previous in thread | raw e-mail | index | archive | help
--nextPart1955192.6qAS8VG7f4 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Saturday 02 December 2006 19:00, James Halstead wrote: > Ok, the "obvious" part that I think I was missing while it was late, > was that these must be keep-alive packets generated by the firewall as > the dynamic rules are about to expire. That being the case however, > shouldn't these keep-alive packets take the same action as the original > rule (skipto 1000 and be diverted through NAT for processing)? keep-alive packets are marked with M_SKIP_FIREWALL in=20 netinet/ip_fw2.c::send_pkt You could try to remove that, rebuild and see=20 if it helps. I'm not sure what the reasoning behind this setting was and=20 have no idea what implications it has to change it. If it helps your=20 setup we might want to consider a sysctl to change that behavior. > James Halstead wrote: > > Ok, this has been driving me nuts for a while. I recently noticed > > that my 5.4-RELEASE firewall was having a problem with packet > > "leakage". I am seeing the occasional packet on the outside interface > > with an internal src ip. I put a hub between my firewall and cable > > modem and verified that the packets are indeed on the wire. Now I am > > in the process of setting up a new 6.1-RELEASE box and the same issue > > was happening on my test network. > > > > So far I don't get it. I must be missing something obvious. At least > > everything still works in general. > > > > The test setup is a clean install of 6.1-RELEASE, using GENERIC with > > the ipfw.ko and ipdivert.ko modules loaded. After searching around I > > was basing the configuration off of: > > > > http://lists.freebsd.org/mailman/htdig/freebsd-ipfw/2004-June/001182. > >html > > > > The test box has two Ethernet interfaces, renamed to be isp0 and > > net0. isp0 is using DHCP, and receives the address 10.42.0.220/24. > > net0 is running a DHCP server, and sits on 192.168.1.1/24. There is > > one single piece of hardware on net0 which is always assigned > > 192.168.1.230. The gateway to the actual Internet sits on > > 10.42.0.254. A pretty simple setup. > > > > The internal machine is just constantly connecting to an external web > > server to generate traffic. I see the same basic type of thing happen > > for other usage as well on my main network (ssh sessions, https/http > > sessions, etc). When looking at tcpdump I am occasionally seeing (on > > isp0): > > > > 19:35:27.591761 aa:aa:aa:5b:db:99 > bb:bb:bb:1f:33:da, > > 192.168.1.230.2542 > xx.xx.53.84.80: ., cksum 0xfade (correct), > > 2295591733:2295591733(0) ack 167570634 win 0 > > > > If this packet was truly supposed to be going out on the external > > interface, it should have gone through NAT and show a src ip of > > 10.42.0.220. To make it more frustrating, even if I enable ifpfw at > > layer 2, I am unable to capture these rogue packets. If I watch > > tcpdump on net0 at the same time, I see the following: > > > > 19:35:27.591767 aa:aa:aa:5b:db:98 > cc:cc:cc:10:04:ce, > > xx.xx.53.84.80 > 192.168.1.230.2542: ., cksum 0xfade (correct), > > 913:913(0) ack 1256 win 0 > > > > The only other thing that I have noticed, is that the packets seem to > > show up on the external interface at about the same time as the > > dynamic rules expire. The dynamic rule would look like: > > > > 192.168.1.230 2542 <-> xx.xx.53.84 80 > > > > Which is pretty much what I would expect. The same setup with a > > non-stateful ipfw ruleset (using established keyword) doesn't seem to > > have this problem. Any ideas? configuration follows. > > > > > > **** natd.conf **** > > unregistered_only yes > > dynamic yes > > #deny_incoming yes > > log_denied yes > > log_ipfw_denied yes > > > > (deny_incoming was set, turned it off to see if it helped but it > > works the same). > > > > ***** ipfw.rules **** > > # Test stateful firewall + natd script > > cmd=3D"/sbin/ipfw add" > > natout=3D"skipto 1000" > > oif=3D"isp0" > > iif=3D"net0" > > inet=3D"192.168.1.0/24" > > > > NOROUTE=3D"( 172.16.0.0/12 or 192.168.0.0/16 or \ > > 0.0.0.0/8 or 169.254.0.0/16 or 192.0.2.0/24 or 224.0.0.0/4 or > > 240.0.0.0/4 )" > > > > #### > > # Start with a clean ruleset > > /sbin/ipfw -q -f flush > > > > #### > > # Allow all traffic on the loopback and internal network, to keep > > this simple. > > $cmd 2 allow all from any to any via lo0 > > $cmd 5 allow all from any to any in via $iif > > $cmd 6 allow all from any to any out xmit $iif > > > > # Translate incoming traffic here > > $cmd 200 divert natd ip from any to any in via $oif > > $cmd 205 check-state > > > > # Outbound > > # Use stateful inspection to allow any connection from the internal > > network. > > $cmd 300 $natout tcp from any to any out via $oif setup keep-state > > $cmd 305 $natout udp from any to any out via $oif keep-state > > $cmd 310 $natout icmp from any to any out via $oif keep-state > > > > # Inbound > > # Prevent non-routable networks on the external interface. > > $cmd 400 deny all from $NOROUTE to any in via $oif > > > > # Allow incoming DHCP for external network address assignment. > > $cmd 450 allow udp from any to any 68 in via $oif keep-state > > > > # Allow incoming SSH to this machine > > $cmd 455 allow tcp from any to me 22 in via $oif setup keep-state > > > > # Allow incoming ICMP > > $cmd 460 allow icmp from any to any icmptypes 0,3,11,12 in via $oif > > > > $cmd 999 deny log ip from any to any > > > > # NAT rule for outgoing traffic. > > $cmd 1000 divert natd ip from any to any out via $oif > > $cmd 1005 allow ip from any to any > > > > Thanks for any insight, > > > > -James > > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --nextPart1955192.6qAS8VG7f4 Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (FreeBSD) iD8DBQBFcdtYXyyEoT62BG0RAgrZAJ0WTowT43+Kl7v8+gVQ4BWjihILjgCcCima bmdWcoFheTXLLdRamx7lLTU= =Oyo2 -----END PGP SIGNATURE----- --nextPart1955192.6qAS8VG7f4--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200612022100.24704.max>