Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 18 Sep 2002 21:08:40 -0400
From:      dfolkins <dfolkins@comcast.net>
To:        barbish@a1poweruser.com, freebsd-questions@freebsd.org
Subject:   Re: ipfw, natd, and keep-state - unexpected dynamic rules generated
Message-ID:  <001201c25f79$17414430$0a00a8c0@groovy3xp>
References:  <MIEPLLIBMLEEABPDBIEGIEOMCKAA.barbish@a1poweruser.com>

next in thread | previous in thread | raw e-mail | index | archive | help
From: "JoeB" <barbish@a1poweruser.com>
To: "dfolkins" <dfolkins@comcast.net>
Sent: Tuesday, September 17, 2002 11:54 AM
Subject: RE: ipfw, natd, and keep-state - unexpected dynamic rules generated


> So you have fallen into the dirty secret about FBSD and IPFW/keep-state.
> IPFW/natd can not use the keep-state option. It's not a problem in IPFW
but
> in NATD.  IPFW/keep-state works like documented when NAT is done outside
of
> IPFW like when you use user ppp -nat  to connect to your ISP over modem,
but
> when your have cable modem or DSL that uses DHCP you are forced to go to
> IPFW/NATD which will not work with keep-state. If you try to contact the
> ipfw maint team about this problem all you will get is the runaround. I
also
> have cable access and I spent months trying to get IPFW/NATD keep-state to
> work. Finally had to go to IPFILTER/IPNAT which has keep-state working.
>
> For more details
> http://www.freebsd-howto.com/HOWTO/Ipfw-Advanced-Supplement-HOWTO

hm, i took a look at that howto, and it seems that my ipfw ruleset follows
the guidelines there.  but still there is that strange short-lived rule
popping up which is not addressed or explained there...  i guess the easy
way out would be to switch to ipf/ipnat, but i am curious as to what that
strange rule is all about in ipfw...
thanks for the howto link, though, it was a good read.
--
dfolkins

> -----Original Message-----
> From: owner-freebsd-questions@FreeBSD.ORG
> [mailto:owner-freebsd-questions@FreeBSD.ORG]On Behalf Of dfolkins
> Sent: Tuesday, September 17, 2002 11:26 AM
> To: freebsd-questions@freebsd.org
> Subject: ipfw, natd, and keep-state - unexpected dynamic rules generated
>
> hi everybody,
>
> i have a fbsd 4.6 router box sitting between a local net (192.168.0.255)
and
> a
> single actual ip from a cable modem.  naturally, ive set up natd and ipfw
on
> it, but instead of going the old way with the semi-stateful rules i
decided
> to go with keep-state/check-state.  but problems arise with outgoing ssh
> connections.  here is the relevant portion of my ipfw rules:
>
> #set up NAT
> ${fwcmd} add 00050 divert natd all from any to any via ${oif}
>
> # Allow the packet through if it has previous been added to the
> # the "dynamic" rules table by an allow keep-state statement.
> $fwcmd add 00200 check-state
>
> # Run all private LAN $iif packet traffic through the dynamic rules
> # table so the IP addresses are in sync with Natd.
> $fwcmd add 00220 allow all from any to any via $iif keep-state
>
> # Deny all fragments as bogus packets
> $fwcmd add 00240 deny log all from any to any frag in via $oif
>
> # Deny  ACK packets that did not match the dynamic rule table
> $fwcmd add 00260 deny log tcp from any to any established in via $oif
>
> # Allow out ssh connections
> $fwcmd add 00640 allow tcp from any to any 22 out via $oif setup
keep-state
>
> seems like this should work, right?  initiating an ssh connection with an
> external
> host, and checking the dynamic rules (ipfw -ad list), the following two
> rules are generated:
>
> 00220 84 12080 (T 599, slot 109) <-> tcp, 192.168.0.10 3106<-> {external
> host ip} 22
> 00640 26 2130 (T 19, slot 166) <-> tcp, {my external ip} 3106<-> {external
> host ip} 22
>
> the rule for my external ip, though, only gets the lifetime value from the
> syn_lifetime sysctl var, which is 20 seconds, and only the first rule
> apparently gets the acks through it and gets a 600sec lifetime that is set
> in ack_lifetime.  any other packets sent through teh connections reset the
> lifetime of the above two rules to 600 and 20 again.  this would not
trouble
> me otherwise, but as soon as the second rule (20 sec) expires, the ssh
> connection dies.
>
> when i remove the word "setup" from rule 640, though, ssh connection does
> not die.  the same two dynamic rules are created, with the same lifetimes,
> but when the short-lived rule expires the connection is still there, upon
> sending any data through it the short-lived rule does not get recreated.
i
> am kinda stumped here.
>
> any ideas?  whats wrong with my rules?  any help would be appreciated.
>
> i've posted this to -security before, but have not gotten an authoritative
> answer as to the reason this is happening, and i guess if same happens
here
> i will post on -ipfw.  and yes, i _have_ been advised to switch to
> ipnat/ipfilter, but thats cheating :).  for that matter, so is removing
> "setup" from the above rule 640.
>
> thank you all in advance.
>
> --
> dfolkins
>
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-questions" in the body of the message
>


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?001201c25f79$17414430$0a00a8c0>