Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 04 Oct 2002 11:57:17 -0500
From:      Greg Panula <greg.panula@dolaninformation.com>
To:        Aragon Gouveia <aragon@phat.za.net>
Cc:        freebsd-questions@freebsd.org
Subject:   Re: ipfw stateful help - strange behaviour
Message-ID:  <3D9DC86D.8F2D12ED@dolaninformation.com>
References:  <20021004153554.GD5787@phat.za.net>

next in thread | previous in thread | raw e-mail | index | archive | help
This post is more for -questions, since -security is now just a
discussion forum.

Try this ruleset:
 00100 check-state
 00500 allow tcp from any to 66.8.x.y 80 keep-state
 01000 deny tcp from any to 66.8.x.y 80
 65535 allow ip from any to any

With the above ruleset, rule 500 will create an entry in the state table
for both the intital set-up and then the actual connection.

The previous 500 rule(allow tcp from any to 66.8.x.y 80 keep-state
setup) was only entering a rule into the state table for setup part of
the connection.

Cheers,
  Greg


Aragon Gouveia wrote:
> 
> Hi,
> 
> I'm having a problem with ipfw's stateful operation which I can't quite
> figure out. Let me start with my ruleset.
> 
> 00100 check-state
> 00500 allow tcp from any to 66.8.x.y 80 keep-state setup
> 01000 deny tcp from any to 66.8.x.y 80
> 65535 allow ip from any to any
> 
> Ok this ruleset works great from all my machines. But I'm noticing a lot of
> traffic is hitting rule 1000. When enabling logging on rule 1000, I see
> around 10 hits a minute. I know it could be arbly generated packets directed
> at 66.8.x.y on port 80, but with this frequency it doesn't look right.
> 
> So I changed my ruleset slightly to this :
> 
> 00100 check-state
> 00500 allow tcp from any to 66.8.x.y 80 keep-state setup
> 01000 fwd 66.8.b.c,34501 tcp from any to 66.8.x.y 80
> 65535 allow ip from any to any
> 
> This allowed me to analyse what was hitting rule 1000 by running tcpdump on
> 66.8.b.c. Here's the output :
> 
> 17:06:45.824689 0:10:b5:42:7d:69 0:20:ed:34:c9:6c 0800 60: 213.155.147.226.61175 > 66.8.x.y.80: R 1312082120:1312082120(0) win 0 (DF)
> 17:06:45.824722 0:10:b5:42:7d:69 0:20:ed:34:c9:6c 0800 60: 213.155.147.226.61175 > 66.8.x.y.80: R 1312082120:1312082120(0) win 0
> 17:07:42.377830 0:10:b5:42:7d:69 0:20:ed:34:c9:6c 0800 60: 212.125.65.237.23973 > 66.8.x.y.80: . ack 1478932865 win 7300 (DF)
> 17:07:42.393216 0:10:b5:42:7d:69 0:20:ed:34:c9:6c 0800 60: 212.125.65.237.23853 > 66.8.x.y.80: . ack 1478195413 win 7300 (DF)
> 17:07:42.393275 0:10:b5:42:7d:69 0:20:ed:34:c9:6c 0800 60: 212.125.65.237.23971 > 66.8.x.y.80: . ack 1478797841 win 7300 (DF)
> 17:07:42.393343 0:10:b5:42:7d:69 0:20:ed:34:c9:6c 0800 60: 212.125.65.237.24168 > 66.8.x.y.80: . ack 1479411419 win 7300 (DF)
> 17:07:42.423224 0:10:b5:42:7d:69 0:20:ed:34:c9:6c 0800 60: 212.125.65.237.24170 > 66.8.x.y.80: . ack 1479562687 win 7300 (DF)
> 17:07:45.421580 0:10:b5:42:7d:69 0:20:ed:34:c9:6c 0800 60: 212.125.65.237.24170 > 66.8.x.y.80: . ack 1 win 7300 (DF)
> 17:07:45.422375 0:10:b5:42:7d:69 0:20:ed:34:c9:6c 0800 60: 212.125.65.237.23853 > 66.8.x.y.80: . ack 1 win 7300 (DF)
> 17:07:45.424352 0:10:b5:42:7d:69 0:20:ed:34:c9:6c 0800 60: 212.125.65.237.23971 > 66.8.x.y.80: . ack 1 win 7300 (DF)
> 17:07:45.511551 0:10:b5:42:7d:69 0:20:ed:34:c9:6c 0800 60: 212.125.65.237.23973 > 66.8.x.y.80: . ack 1 win 7300 (DF)
> 17:07:45.511607 0:10:b5:42:7d:69 0:20:ed:34:c9:6c 0800 60: 212.125.65.237.24168 > 66.8.x.y.80: . ack 1 win 7300 (DF)
> 
> Okay, what gives - no SYN packets. So I checked the state table a few
> seconds after these packets were forwarded to 66.8.b.c and :
> 
> 00500 227 135562 (T 252, slot 78) <-> tcp, 213.155.147.226 61162<->66.8.x.y 80
> 00500 101 33708 (T 254, slot 92) <-> tcp, 213.155.147.226 61176<->66.8.x.y 80
> 00500 3 132 (T 299, slot 149) <-> tcp, 212.125.65.237 24638<-> 66.8.x.y 80
> 00500 3 132 (T 299, slot 150) <-> tcp, 212.125.65.237 24637<-> 66.8.x.y 80
> 
> So it looks like the connections are matching the 'setup' flag and entering
> the state table, but they're not being matched by 'check-state' on further
> communication. Any ideas?
> 
> I'm using IPFW1 on 4.7-RC.
> 
> Thanks,
> Aragon
> 
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3D9DC86D.8F2D12ED>