Date: Tue, 17 Sep 2002 11:26:15 -0400 From: dfolkins <dfolkins@comcast.net> To: freebsd-questions@freebsd.org Subject: ipfw, natd, and keep-state - unexpected dynamic rules generated Message-ID: <013901c25e5e$90015b60$0a00a8c0@groovy3xp>
next in thread | raw e-mail | index | archive | help
hi everybody,
i have a fbsd 4.6 router box sitting between a local net (192.168.0.255) and
a
single actual ip from a cable modem. naturally, ive set up natd and ipfw on
it, but instead of going the old way with the semi-stateful rules i decided
to go with keep-state/check-state. but problems arise with outgoing ssh
connections. here is the relevant portion of my ipfw rules:
#set up NAT
${fwcmd} add 00050 divert natd all from any to any via ${oif}
# Allow the packet through if it has previous been added to the
# the "dynamic" rules table by an allow keep-state statement.
$fwcmd add 00200 check-state
# Run all private LAN $iif packet traffic through the dynamic rules
# table so the IP addresses are in sync with Natd.
$fwcmd add 00220 allow all from any to any via $iif keep-state
# Deny all fragments as bogus packets
$fwcmd add 00240 deny log all from any to any frag in via $oif
# Deny ACK packets that did not match the dynamic rule table
$fwcmd add 00260 deny log tcp from any to any established in via $oif
# Allow out ssh connections
$fwcmd add 00640 allow tcp from any to any 22 out via $oif setup keep-state
seems like this should work, right? initiating an ssh connection with an
external
host, and checking the dynamic rules (ipfw -ad list), the following two
rules are generated:
00220 84 12080 (T 599, slot 109) <-> tcp, 192.168.0.10 3106<-> {external
host ip} 22
00640 26 2130 (T 19, slot 166) <-> tcp, {my external ip} 3106<-> {external
host ip} 22
the rule for my external ip, though, only gets the lifetime value from the
syn_lifetime sysctl var, which is 20 seconds, and only the first rule
apparently gets the acks through it and gets a 600sec lifetime that is set
in ack_lifetime. any other packets sent through teh connections reset the
lifetime of the above two rules to 600 and 20 again. this would not trouble
me otherwise, but as soon as the second rule (20 sec) expires, the ssh
connection dies.
when i remove the word "setup" from rule 640, though, ssh connection does
not die. the same two dynamic rules are created, with the same lifetimes,
but when the short-lived rule expires the connection is still there, upon
sending any data through it the short-lived rule does not get recreated. i
am kinda stumped here.
any ideas? whats wrong with my rules? any help would be appreciated.
i've posted this to -security before, but have not gotten an authoritative
answer as to the reason this is happening, and i guess if same happens here
i will post on -ipfw. and yes, i _have_ been advised to switch to
ipnat/ipfilter, but thats cheating :). for that matter, so is removing
"setup" from the above rule 640.
thank you all in advance.
--
dfolkins
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?013901c25e5e$90015b60$0a00a8c0>