From owner-freebsd-ipfw Fri Dec 21 21:32:24 2001 Delivered-To: freebsd-ipfw@freebsd.org Received: from gate.killian.com (gate.killian.com [205.179.65.162]) by hub.freebsd.org (Postfix) with ESMTP id 0C2BC37B416 for ; Fri, 21 Dec 2001 21:32:13 -0800 (PST) Received: (from root@localhost) by gate.killian.com (8.11.6/8.11.6) id fBM5Vui36708; Fri, 21 Dec 2001 21:31:56 -0800 (PST) (envelope-from earl) Date: Fri, 21 Dec 2001 21:31:56 -0800 (PST) Message-Id: <200112220531.fBM5Vui36708@gate.killian.com> From: "Earl A. Killian" To: freebsd-ipfw@freebsd.org Subject: keep-state Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG I tried a firewall using keep-state and ran into a problem. I am looking for suggestions on the best way to fix it. My firewall was essentially <> divert natd all from any to any via ${oif} check-state <> The problem is that the firewall is invoked twice, on both input and output. A host on the inside initiates a connection by sending a SYN packet from INSIDE-IP to OUTSIDE-IP. This was accepted via one of the filters and a keep-state was done. Next, the kernel determines that the packet is destined for outside, so it is run through the rules a second time on the way out. This time it is diverted to natd which rewrites it to a packet from OIF-IP to OUTSIDE-IP. Another dynamic rule is created for this by a susequent keep-state. When the SYN ACK comes back from OUTSIDE-IP to GATE, it is diverted on input to natd, which rewrites it as OUTSIDE-IP to INSIDE-IP. This hits the check-state and is accepted by the first dynamic rule created above, and ups the lifetime of the rule to 1000s. However, the second dynamic rule created above will eventually time out (it has only a 20s lifetime because it never sees the SYN ACK), at which point the connection is blocked (further packets from INSIDE-IP to OUTSIDE-IP will be dropped on the floor on output). One way to fix this would be to augment the rules to accept anything output from the gateway to the internet: <> divert natd all from any to any via ${oif} allow all from ${oip} to any out xmit ${oif} check-state <> This will prevent the need for the second dynamic rule. However, it seems to compromise security somewhat since it is fairly permissive, and generally one follows the rule that anything not required is denied. Is there a better way? -Earl To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Fri Dec 21 21:45:56 2001 Delivered-To: freebsd-ipfw@freebsd.org Received: from iguana.aciri.org (iguana.aciri.org [192.150.187.36]) by hub.freebsd.org (Postfix) with ESMTP id AFA9237B416 for ; Fri, 21 Dec 2001 21:45:52 -0800 (PST) Received: (from rizzo@localhost) by iguana.aciri.org (8.11.3/8.11.1) id fBM5jNJ22029; Fri, 21 Dec 2001 21:45:23 -0800 (PST) (envelope-from rizzo) Date: Fri, 21 Dec 2001 21:45:23 -0800 From: Luigi Rizzo To: "Earl A. Killian" Cc: freebsd-ipfw@FreeBSD.ORG Subject: Re: keep-state Message-ID: <20011221214523.B21919@iguana.aciri.org> References: <200112220531.fBM5Vui36708@gate.killian.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <200112220531.fBM5Vui36708@gate.killian.com> User-Agent: Mutt/1.3.23i Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG i am under the impression that you probably do not need stateful rules for natd'ed sessions, because natd is itself stateful cheers luigi On Fri, Dec 21, 2001 at 09:31:56PM -0800, Earl A. Killian wrote: > I tried a firewall using keep-state and ran into a problem. I am > looking for suggestions on the best way to fix it. My firewall > was essentially > > <> > divert natd all from any to any via ${oif} > check-state > <> > > The problem is that the firewall is invoked twice, on both > input and output. A host on the inside initiates a connection by > sending a SYN packet from INSIDE-IP to OUTSIDE-IP. This was accepted > via one of the filters and a keep-state was done. Next, the kernel > determines that the packet is destined for outside, so it is run > through the rules a second time on the way out. This time it is > diverted to natd which rewrites it to a packet from OIF-IP to > OUTSIDE-IP. Another dynamic rule is created for this by a susequent > keep-state. When the SYN ACK comes back from OUTSIDE-IP to GATE, it > is diverted on input to natd, which rewrites it as OUTSIDE-IP to > INSIDE-IP. This hits the check-state and is accepted by the first > dynamic rule created above, and ups the lifetime of the rule to 1000s. > However, the second dynamic rule created above will eventually time > out (it has only a 20s lifetime because it never sees the SYN ACK), at > which point the connection is blocked (further packets from INSIDE-IP > to OUTSIDE-IP will be dropped on the floor on output). > > One way to fix this would be to augment the rules to accept anything > output from the gateway to the internet: > > <> > divert natd all from any to any via ${oif} > allow all from ${oip} to any out xmit ${oif} > check-state > <> > > This will prevent the need for the second dynamic rule. However, it > seems to compromise security somewhat since it is fairly permissive, > and generally one follows the rule that anything not required is > denied. Is there a better way? > > -Earl > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-ipfw" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Fri Dec 21 22:13:40 2001 Delivered-To: freebsd-ipfw@freebsd.org Received: from web20003.mail.yahoo.com (web20003.mail.yahoo.com [216.136.225.48]) by hub.freebsd.org (Postfix) with SMTP id 372AD37B405 for ; Fri, 21 Dec 2001 22:13:36 -0800 (PST) Message-ID: <20011222061335.80665.qmail@web20003.mail.yahoo.com> Received: from [61.223.8.248] by web20003.mail.yahoo.com via HTTP; Fri, 21 Dec 2001 22:13:35 PST Date: Fri, 21 Dec 2001 22:13:35 -0800 (PST) From: Vincent Chen Subject: stateful inspection To: freebsd-ipfw@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Dear all, I need your help to implement stateful firewall. I am using ipfw to filter packet and ipfilter to provide NAT and redirect service. My firewall has the following rules: 02500 check-state 02510 deny tcp from any to any established 03000 allow tcp from 10.1.2.0/24 to any keep-state in recv ed0 setup 03100 allow tcp from 61.223.8.248 to any keep-state out xmit tun0 setup 10.1.2.0/24 is my private subnet 61.223.8.248 is my DSL IP When I open a TCP connection from inside, rule 3000 and 3100 will create 2 dynamic rules. Rule 3100 will expire soon after some TCP connection is open,telnet is am example. Dynamic rule created by rule 3000 remains, but the incoming packet deny by firewall due to dynamic rule created by rule 3100 is missing. How can I solve this problem? BTW: I read articles in manual page and maillist discussion. But still confused. During the connection to be established, Do we have syn + ( syn + ack ) + ( syn + ack ), max. 660s to create a dynamic rule successfully? After connection established, how much time do we have to transmit data before dynamic rule expire? Will this tcp session be kept alive if net.inet.tcp.always_keepalive=1? Thanks for your help, I really like to have this feature work. Vincent Chen Thanks, Vincent Chen __________________________________________________ Do You Yahoo!? Send your FREE holiday greetings online! http://greetings.yahoo.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message