Date: Fri, 21 Dec 2001 21:31:56 -0800 (PST) From: "Earl A. Killian" <earl@killian.com> To: freebsd-ipfw@freebsd.org Subject: keep-state Message-ID: <200112220531.fBM5Vui36708@gate.killian.com>
next in thread | raw e-mail | index | archive | help
I tried a firewall using keep-state and ran into a problem. I am
looking for suggestions on the best way to fix it. My firewall
was essentially
<<anti-spoofing rules>>
divert natd all from any to any via ${oif}
check-state
<<filter connection setups with keep-state on the ones allowed>>
The problem is that the firewall is invoked twice, on both
input and output. A host on the inside initiates a connection by
sending a SYN packet from INSIDE-IP to OUTSIDE-IP. This was accepted
via one of the filters and a keep-state was done. Next, the kernel
determines that the packet is destined for outside, so it is run
through the rules a second time on the way out. This time it is
diverted to natd which rewrites it to a packet from OIF-IP to
OUTSIDE-IP. Another dynamic rule is created for this by a susequent
keep-state. When the SYN ACK comes back from OUTSIDE-IP to GATE, it
is diverted on input to natd, which rewrites it as OUTSIDE-IP to
INSIDE-IP. This hits the check-state and is accepted by the first
dynamic rule created above, and ups the lifetime of the rule to 1000s.
However, the second dynamic rule created above will eventually time
out (it has only a 20s lifetime because it never sees the SYN ACK), at
which point the connection is blocked (further packets from INSIDE-IP
to OUTSIDE-IP will be dropped on the floor on output).
One way to fix this would be to augment the rules to accept anything
output from the gateway to the internet:
<<anti-spoofing rules>>
divert natd all from any to any via ${oif}
allow all from ${oip} to any out xmit ${oif}
check-state
<<filter connection setups with keep-state on the ones allowed>>
This will prevent the need for the second dynamic rule. However, it
seems to compromise security somewhat since it is fairly permissive,
and generally one follows the rule that anything not required is
denied. Is there a better way?
-Earl
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ipfw" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200112220531.fBM5Vui36708>