Date: Sat, 24 Mar 2012 20:30:34 +0700 From: "nyoman.bogi@gmail.com" <nyoman.bogi@gmail.com> To: Kevin Oberman <kob6558@gmail.com> Cc: freebsd-net@freebsd.org Subject: Re: firewall stuck Message-ID: <CAJsxnXbVgA1PR34wHVD9cHTsZZKZUahftRhEv47%2BJwMkEiMGOQ@mail.gmail.com> In-Reply-To: <CAN6yY1tQjS_g5C12JSvYWSV75_aSMDbmXsiEX4wnrqthCDvWgg@mail.gmail.com> References: <CAJsxnXY7aHNf7dvG%2BQLVqziWQe8HLHbFbttN-vNsai-MbOVCMA@mail.gmail.com> <CAN6yY1v1O9QiN3bAZ3jPJvzX=xsLAauSXJJjwhrZPYSnBfK_uw@mail.gmail.com> <CAJsxnXaXG_9UV-MTeij=PSY4e0abKbmqW6QMWMph9UUTTCNMRg@mail.gmail.com> <CAN6yY1tQjS_g5C12JSvYWSV75_aSMDbmXsiEX4wnrqthCDvWgg@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, Mar 15, 2012 at 11:47 AM, Kevin Oberman <kob6558@gmail.com> wrote: > Please don't top post. It makes following the thread very difficult. > (Yes, I know too many MUAs make this difficult.) > > > On Wed, Mar 14, 2012 at 1:12 PM, Kevin Oberman <kob6558@gmail.com> > wrote: > >> > >> On Tue, Mar 13, 2012 at 7:27 PM, nyoman.bogi@gmail.com > >> <nyoman.bogi@gmail.com> wrote: > >> > dear guru, > >> > > >> > every time I open my firewall to allow SSH connection from Internet > >> > after few days my firewall always stuck. Stuck in here meaning > >> > that it deny all request (deny any from any). > >> > And after I "ipfw disable firewall" and then "ipfw enable firewall" > >> > everything works fine > >> > > >> > when I checked /var/log/messages I found lots of attempts > >> > people try to connect to my machine. > >> > why my machine get stuck when lots of people try to SSH to my machine? > >> > >> We need a bit more information, especially your ipfw configuration. Is > >> it a statefull firewall? It sounds a lot like your state table might > >> be filling for some reason. Of course, if it is not a statefull > >> firewall, that idea is probably wrong, though it could be a > >> misconfiguration of some statefull rule that is inadvertently catching > >> the SSH attempts. > >> > >> Have you done an 'ipfw show' to see what rules are being matched? it > >> may or may not provide a clue. > >> -- > >> R. Kevin Oberman, Network Engineer > >> E-mail: kob6558@gmail.com > On Wed, Mar 14, 2012 at 6:04 PM, nyoman.bogi@gmail.com > <nyoman.bogi@gmail.com> wrote: > > thanks Kevin, > > this is my "ipfw show" : > > > > 00100 4352617 2413620288 allow ip from any to any via lo0 > > 00200 0 0 deny ip from any to 127.0.0.0/8 > > 00300 0 0 deny ip from 127.0.0.0/8 to any > > 00400 0 0 deny ip from any to ::1 > > 00500 0 0 deny ip from ::1 to any > > 00600 54387 5454184 allow icmp from any to any > > 00700 3142231 1681082246 allow ip from 10.1.1.28 to 10.1.1.0/26 > > 00800 4659459 4478397111 allow ip from 10.1.1.0/26 to 10.1.1.28 > > 00900 0 0 check-state > > 01000 137997 89083135 allow tcp from 10.1.1.28 to any setup > keep-state > > 01100 0 0 allow tcp from 10.16.10.84 to any setup > > keep-state > > 01150 401205 276677828 allow tcp from any to 10.1.1.28 dst-port 22 > setup > > keep-state > > 01200 245718 44249729 allow udp from 10.1.1.28 to any keep-state > > 01300 5876930 239194755 allow tcp from any to any established > > 01400 0 0 allow tcp from any to 10.1.1.28 dst-port 389 > > setup keep-state > > 01500 26341187 22030370786 allow tcp from any to 10.1.1.28 dst-port 80 > setup > > keep-state > > 01600 80945 61013964 allow tcp from any to 10.1.1.28 dst-port 443 > > setup keep-state > > 01700 0 0 allow tcp from 10.1.1.2 to 10.1.1.28 dst-port > 22 > > setup keep-state > > 01800 149642 97939477 allow tcp from any to 10.1.1.28 dst-port 25 > setup > > keep-state > > 01900 140 7501 allow tcp from 10.1.0.0/16 to 10.1.1.28 > dst-port > > 110 setup keep-state > > 02000 1677982 89212845 allow tcp from any to 10.1.1.28 dst-port 110 > > setup keep-state > > 02100 8996 432096 deny tcp from any to any setup > > 02200 244111 24117256 allow udp from any to 10.1.1.28 dst-port 53 > > keep-state > > 02300 0 0 allow udp from any to 10.1.1.12 dst-port 53 > > keep-state > > 65535 4610 1422974 deny ip from any to any > > > > I use FreeBSD 8.2 : > > FreeBSD 8.2-RELEASE (GENERIC) #0: Fri Feb 18 02:24:46 UTC 2011 > > > > the problem start after I add rule 01150 > > so you do have a stateful rule for ssh. Putting stateful rules on > services is risky because you always open yourself to DOS, ether > intentionally or by accident. Every stateful access requires resources > from a limited pool. You can look at this pool information with: > sysctl net.inet.ip.fw | grep dyn > man ipfw describes them in the "SYSCTL VARIABLES" section. > > I am wondering why you want a stateful rule for this. It's very risky > and it looks like you are getting bitten, either by accident or a > deliberate effort to DOS you. I suspect the former. > -- > R. Kevin Oberman, Network Engineer > E-mail: kob6558@gmail.com > thanks a lot Kevin, your hint is really helpful. I have change the SSH connection into non stateful. do you think I should change the HTTP connection into non stateful also? -- ------------------------------- Bogi Aditya Sisfo - IMTelkom http://bogi.blog.imtelkom.ac.id
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAJsxnXbVgA1PR34wHVD9cHTsZZKZUahftRhEv47%2BJwMkEiMGOQ>