Date: Sat, 27 Oct 2007 12:01:00 -0700 From: Darren Reed <darrenr@freebsd.org> To: Peter Kieser <peter@wingless.org> Cc: freebsd-current@freebsd.org Subject: Re: ipv6 ipfilter + keep state bug? (releng_7) Message-ID: <47238AEC.4050900@freebsd.org> In-Reply-To: <47201ED8.2090600@wingless.org> References: <47201ED8.2090600@wingless.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Peter Kieser wrote: > Hello, > > I'm having similar issues (intermittent connectivity as if the dynamic > rule table isn't being kept properly) using IP Filter with IPv6 and > keep state rules as I was having with ipfw (see "ipfw2 keep-state + > IPv6 on RELENG_7"), IPv4 keep state rules work as expected. I've > verified that it is not infact a network problem (adding an "allow > all" fixes the problem again). > > My rules are as follows, CVSup from today (Wed Oct 24 10:54:23 PDT), > em0 is my external interface: > > pass in quick on lo0 all > pass out quick on lo0 all > pass out quick on em0 keep state > pass in quick on em0 proto tcp from any to any port = 22 This is asking for trouble, regardless of which firewall you use. For best performance, the "keep state" part should be triggered by a rule that mentions the TCP SYN flag somewhere. So for IPFilter, the rule should be: pass in quick on em0 proto tcp from any to any port = 22 flags S keep state (for inbound ssh) and for outboud ssh, you should have an explicit rule like this for tcp: pass out quick on em0 proto tcp all flags S keep state If you don't trigger stateful filtering on SYN packets then the firewall doesn't have a chance to record the window scaling options that are present in the SYN/SYN-ACK packets at the start of a connection and thus can't correctly determine if packets coming later are inside or outside the TCP window. Darren
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?47238AEC.4050900>