Date: Sun, 19 Jan 2003 02:57:38 +1100 From: Tim Burgess <tim@queens.unimelb.edu.au> To: freebsd-ipfw@freebsd.org Subject: keep-state checking of interface? Message-ID: <911DF304-2AFD-11D7-B465-000393BE2C60@queens.unimelb.edu.au>
next in thread | raw e-mail | index | archive | help
Hi All, I would like to suggest (what I consider to be) a potential improvement to the usefulness of the stateful inspection features in ipfw (and ipfw2). We have a fairly typical setup, where we are firewalling between three 'sections' - a group of private hosts who need internet access, a group of servers (web, mail, etc - with some services running on the firewall machine itself) and the internet. (In reality there are several groups of private hosts but that complexity detracts from the problem at hand). Now, imagine that we would like the private hosts to be able to access the internet, which just 'happens' to include our webserver. What I would consider then the 'typical' firewall scenario here (pretend for now there are no services on the firewall itself) would be to firewall packets separately in both directions on the 'private hosts' interface abc0, and a separate set of rules on the 'servers' interface abc1. In less words, the firewall should look something like: Private Hosts: 1.2.3.0/24 Servers: 4.5.6.0/24 Interfaces on firewall: abc0: 1.2.3.1 abc1: 4.5.6.1 ext0: 20.21.22.23 (uplink to internet) Firewall rules (incomplete, obviously, for example purposes) 100 skipto 1000 ip from any to any via abc0 101 skipto 2000 ip from any to any via abc1 102 allow ip from any to any via abc2 1000 allow tcp from 1.2.3.0/24 to any 80,443,110 1001 allow tcp from any 80,443,110 to 1.2.3.0/24 established 1002 deny ip from any to any # incoming access for webserver 2000 allow tcp from any to 4.5.6.10 80 2001 allow tcp from 4.5.6.10 80 to any established # outgoing access from outgoing mail server 2002 allow tcp from 4.5.6.11 to any 25 2003 allow tcp from any 25 to 4.5.6.11 established # deny other stuff 2004 deny ip from any to any In this way, our webserver appears to our private hosts just like any other host on the internet, and we can firewall them independently because each packet is considered twice (once for each interface). Now, imagine that we would like to use stateful inspection on 'both' of these firewalls. Consider the following rules: (100-102 same as above) 1000 check-state 1001 allow tcp from 1.2.3.0/24 to any 80,443,110,22 keep-state 1002 deny ip from any to any 2000 check-state # We don't use keep-state on incoming connections to help avoid DoS 2001 allow tcp from any to 4.5.6.10 80 2002 allow tcp from 4.5.6.10 80 to any established # We can keep state on the outgoing mail connections though 2003 allow tcp from 4.5.6.11 to any 25 keep-state Now here is the problem: Imagine one of our private hosts tries to ssh to our webserver. Under the original (and correct) configuration they would be blocked, not so under the stateful configuration. The SYN packet will pass inward through the abc0 interface and establish a stateful rule. Then the packet is passed outward through the abc1 interface and the (rule 2000) check-state rule matches the stateful rule from the other interface! (being a 'real' environment, I haven't been able to verify this behaviour but have examined the source code to ipfw2 and am pretty sure this is what would happen). So, it would be nice if the stateful rules could be tied to a particular interface using some kind of syntax. I realise that a lot of simple firewalls don't really take into account that the packets pass through (possibly) twice, so the original syntax would be relied upon by many users, however for situations like ours (which I don't imagine are rare) it would be very nice to have. Sorry for the long-winded post!!! Cheers, Tim --- Tim Burgess Queens' College University of Melbourne To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?911DF304-2AFD-11D7-B465-000393BE2C60>