Date: Mon, 11 Feb 2002 01:34:46 -0800 From: "Crist J. Clark" <cjc@FreeBSD.ORG> To: Michael Sierchio <kudzu@tenebras.com> Cc: freebsd-net@FreeBSD.ORG Subject: Re: Possible bug in ip_fw stateful rule stuff Message-ID: <20020211013445.D20884@blossom.cjclark.org> In-Reply-To: <3C6721C6.9080904@tenebras.com>; from kudzu@tenebras.com on Sun, Feb 10, 2002 at 05:43:34PM -0800 References: <3C6721C6.9080904@tenebras.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sun, Feb 10, 2002 at 05:43:34PM -0800, Michael Sierchio wrote:
> Running ipfw w/natd, connections through the gateway are dying. Two dynamic
> rules get instantiated for each connection through the gateway -- one
> with NAT'd addresses and one revealing the private addresses
>
> $on = external net = X.Y.Z/24
> $in = internal net = A.B.C/24 (192.168.1.0/24)
>
> the external IP is X.Y.Z.23
> the internal IP is A.B.C.1
>
> firewall rules:
>
> [some static rules...]
>
> $fw add divert natd ip from any to any via $external_interface
>
> $fw add check-state
>
> $fw add allow tcp from $in to any setup keep-state
> $fw add allow udp from $in to any keep-state
>
> $fw add allow tcp from $on to any setup keep-state
> $fw add allow udp from $on to any keep-state
>
>
> An ssh connection from A.B.C.4 to X.Y.Z.44 causes the following dynamic rules
> to appear:
>
>
> 02400 15 3197 (T 16, slot 760) <-> tcp, X.Y.Z.23 1549<-> X.Y.Z.44 22
> 02200 45 9151 (T 296, slot 913) <-> tcp, A.B.C.4 1549<-> X.Y.Z.44 22
>
> Note 02400 -- this connection timer seems to indicate that it is waiting for
> a completed 3-way handshake and hasn't seen the other SYN. The connection dies
> because the time counts down. The timer for 02200 doesn't count down because
> the keep-alives are resetting it.
>
> Any insight as to why this is happening?
It is pretty simple.
1) Initial SYN leaves A.B.C.4.
2) SYN comes in firewall, goes through rules, and matches 2200.
3) SYN goes out of firewall, goes through rules, matches natd(8)
rule, and is translated.
4) SYN continues through firewall, now with X.Y.Z.23 as source, and
matches 2400.
5) SYN get to remote machine, remote machine sends SYN-ACK to
X.Y.Z.23.
6) SYN-ACK reaches firewall, goes through rules, matches the natd(8)
rule, and is translated.
7) SYN-ACK continues through rules, now with destination A.B.C.4,
and matches the dynamic rule for _2200._
8) SYN-ACK goes through rules on way out and again matches 2200.
Notice, the returning packets never hit the dynamic rule from 2400.
--
Crist J. Clark | cjclark@alum.mit.edu
| cjclark@jhu.edu
http://people.freebsd.org/~cjc/ | cjc@freebsd.org
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-net" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020211013445.D20884>