Date: Fri, 20 Apr 2012 16:13:07 -0700 From: Kevin Oberman <kob6558@gmail.com> To: "Dmitry S. Kasterin" <dmk.sbor@gmail.com> Cc: freebsd-net@freebsd.org, Michael Sierchio <kudzu@tenebras.com> Subject: Re: Stateful IPFW - too many connections in FIN_WAIT_2 or LAST_ACK states Message-ID: <CAN6yY1tHvKhk4PLTmS6Yv9PvNoKdBV_fhR5UhKM2_ua8zh-d0Q@mail.gmail.com> In-Reply-To: <CAJkxAbwYUtcyXGFEiXiZXLEzf9EPTTwdq1-y-ngT6OuKXk1o2A@mail.gmail.com> References: <CAJkxAbyMEYZ4pYu=z4Sfwdqtzh=PjhHE4qrbSsyL34YE9TnXZQ@mail.gmail.com> <CAJkxAbyi7hx9Dugtw5-Md1y77JRzOu3bygS8ntfQg%2Bkw1KZ63w@mail.gmail.com> <CAN6yY1uRrfv0Bdeb%2Btosna8O8ajD_H1j7N=akL7PS8XC3X09qA@mail.gmail.com> <CAHu1Y72HG00_yv0wyk_7rRC1bb0SNa%2BcEOoXZTALV6bkBj207g@mail.gmail.com> <CAN6yY1s608M5coYP76OvBvOqd5HqZFyaiVb8PdviGFVN-Do1sg@mail.gmail.com> <CAJkxAbyG1%2Bkc8C_V8Ehr7cuYuaGm0VQ1C6gfXJUp1_7Vh4_zug@mail.gmail.com> <CAJkxAbwYUtcyXGFEiXiZXLEzf9EPTTwdq1-y-ngT6OuKXk1o2A@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, Apr 20, 2012 at 11:55 AM, Dmitry S. Kasterin <dmk.sbor@gmail.com> w= rote: >> Thank you for the "allow tcp from me to any established" rule, >> I'll give it a try later. > > Ok, I've tested this - no oddity/"frozen" connection. =A0As expected. > This is an excerpt from the ruleset (ipfw show): > > 00101 =A04759 =A02588637 allow tcp from any to any established > 00102 =A0 206 =A0 =A012360 allow tcp from me to any setup > > 00777 =A0 =A0 0 =A0 =A0 =A0 =A00 deny log logamount 16 ip from any to any When you use 'established', you are depending on TCP to maintain state, which it does all the time. There were some attacks involving sequence number "guessing" which were once not really randomized, but, at least on FreeBSD and most current systems, these are now generated by a good random number generator and are essentially impossible to guess. I have not heard of any use of this attack for several years and then on systems with broken PRNGs. I think the problem probably was fixed over 5 years ago. >> I didn't change anything. Quite possible dyn_fin_lifetime is too >> small. I'll try to raise it. > > # sysctl net.inet.ip.fw.dyn_fin_lifetime=3D4 > net.inet.ip.fw.dyn_fin_lifetime: 1 -> 4 > # sysctl net.inet.ip.fw.dyn_rst_lifetime=3D4 > net.inet.ip.fw.dyn_rst_lifetime: 1 -> 4 > > The situation is better, but I am still having troubles with "heavy" > sites (images, JS an so on; for example =A0- > http://cnx.org/content/m16336/latest/ ). > And still I can see odd packets from "deny log all from any to any" rule: > > 15:09:58.654613 IP w.x.y.z.11215 > 213.180.193.14.80: Flags [F.], seq > 3948689318, ack 1903284725, ... > 15:09:59.158612 IP w.x.y.z.11215 > 213.180.193.14.80: Flags [F.], seq > 0, ack 1, ... > 15:09:59.222114 IP 213.180.193.14.80 > w.x.y.z.11215: Flags [F.], seq > 1, ack 0, ... > 15:09:59.966611 IP w.x.y.z.11215 > 213.180.193.14.80: Flags [F.], seq > 0, ack 1, ... > > 15:51:43.244361 IP 128.42.169.34.80 > w.x.y.z.13876: Flags [F.], seq > 3534903525, ack 108808080, ... > 15:51:49.418317 IP 128.42.169.34.80 > w.x.y.z.13876: Flags [F.], seq > 0, ack 1, ... > > 15:58:47.664606 IP w.x.y.z.32748 > 195.91.160.36.80: Flags [F.], seq > 3277652538, ack 2683877393, ... > 15:58:49.106924 IP 195.91.160.36.80 > w.x.y.z.32748: Flags [F.], seq > 1, ack 0, ... The thing that jumps out is that all of the blocked packets are of FIN packets. I am not sure why they are being denied as they have FIN+ACK and that should meet the requirements for 'established". Are you seeing a large number of TCP sessions in partially closed states? I don't recall if you mentioned it, but what version of FreeBSD are you running? If you have not dine so, I urge you to read the firewall(7) man page. It discusses firewall design and implementation with IPFW. Also, if you choose to use stateful TCP filtering, it is probably best to do it in the manner shown in the ipfw(8) man page under DYNAMIC RULES. This is very different from the way you did it. --=20 R. Kevin Oberman, Network Engineer E-mail: kob6558@gmail.com
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAN6yY1tHvKhk4PLTmS6Yv9PvNoKdBV_fhR5UhKM2_ua8zh-d0Q>