'ipf40a25 state issues - additional'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       ipfilter
Subject:    ipf40a25 state issues - additional
From:       jeff.stelzner () esca ! com
Date:       2003-01-24 1:17:24
[Download RAW message or body]

For what it's worth, the problem seems isolated to state/frag handling.
If I take out the state/frag directives in the previous config, the
resulting [trivial] ruleset works fine - at least, I'm not seeing any
blocks in the ipmon log:

pass in quick on lo0 all
pass out quick on lo0 all
pass in quick on tu0 proto tcp from any to any
pass in quick on tu0 proto udp from any to any
pass in quick on tu0 proto icmp from any to any
pass out quick on tu0 proto tcp from any to any
pass out quick on tu0 proto udp from any to any
pass out quick on tu0 proto icmp from any to any
pass in quick on ee0 proto tcp from any to any
pass in quick on ee0 proto udp from any to any
pass in quick on ee0 proto icmp from any to any
pass out quick on ee0 proto tcp from any to any
pass out quick on ee0 proto udp from any to any
pass out quick on ee0 proto icmp from any to any
block in log quick all
block out log quick all

Again, this is under hp tru64-5.1b [eco 001].

-Jeff-

----- Forwarded by Jeff STELZNER/USBVE01/TDE/ALSTOM on 01/23/2003 05:11 PM
-----

Perhaps someone can shed some light in case I'm confused.

I'm trying to get ipf40a25 working on a tru64 unix 5.1b box [that's the
latest ipf40a release I can get to successfully compile/run].
I'm using it as a local host firewall at this point.

After having poor luck with more complex filters/rule groups [that worked
OK on freebsd boxes with 3.4.29], I am trying the following:

pass in quick on lo0 all
pass out quick on lo0 all
pass in quick on tu0 proto tcp from any to any flags S/SAFR keep state keep
frags
pass in quick on tu0 proto udp from any to any keep state keep frags
pass in quick on tu0 proto icmp from any to any keep state keep frags
pass out quick on tu0 proto tcp from any to any flags S/SAFR keep state
keep frags
pass out quick on tu0 proto udp from any to any keep state keep frags
pass out quick on tu0 proto icmp from any to any keep state keep frags
pass in quick on ee0 proto tcp from any to any flags S/SAFR keep state keep
frags
pass in quick on ee0 proto udp from any to any keep state keep frags
pass in quick on ee0 proto icmp from any to any keep state keep frags
pass out quick on ee0 proto tcp from any to any flags S/SAFR keep state
keep frags
pass out quick on ee0 proto udp from any to any keep state keep frags
pass out quick on ee0 proto icmp from any to any keep state keep frags
block in log quick all
block out log quick all

I know, it's not much of a firewall, I'm just trying to convince myself
that a simple config works.
So here's what I'm seeing in my ipmon log:

23/01/2003 12:03:00.38757784879104 tu0 @0:8 b xxx.yy.6.248,1246 ->
xxx.yy.96.82,80 PR tcp len 20 417 -AP IN
23/01/2003 12:03:03.000000 tu0 @0:8 b xxx.yy.6.248,1246 -> xxx.yy.96.82,80
PR tcp len 20 417 -AP IN
23/01/2003 12:03:06.000000 tu0 @0:8 b xxx.yy.6.248,1246 -> xxx.yy.96.82,80
PR tcp len 20 40 -A IN
23/01/2003 12:03:09.000000 tu0 @0:8 b xxx.yy.6.248,1246 -> xxx.yy.96.82,80
PR tcp len 20 417 -AP IN
23/01/2003 12:03:21.000000 tu0 @0:8 b xxx.yy.6.248,1246 -> xxx.yy.96.82,80
PR tcp len 20 417 -AP IN
23/01/2003 12:03:45.38757784879104 tu0 @0:8 b xxx.yy.6.248,1246 ->
xxx.yy.96.82,80 PR tcp len 20 417 -AP IN
23/01/2003 12:04:21.38757784879104 tu0 @0:8 b xxx.zz.9.86,1772 ->
xxx.yy.96.82,22 PR tcp len 20 40 -A IN
23/01/2003 12:04:31.-2180677574656 tu0 @0:8 b xxx.zz.9.86,1774 ->
xxx.yy.96.82,22 PR tcp len 20 40 -A IN
23/01/2003 12:04:34.000000 tu0 @0:8 b xxx.yy.6.248,1246 -> xxx.yy.96.82,80
PR tcp len 20 417 -AP IN
23/01/2003 12:04:36.38757784879104 tu0 @0:8 b xxx.zz.9.86,1774 ->
xxx.yy.96.82,22 PR tcp len 20 40 -A IN

The xx.yy.96.82 address is the tu0 interface.
The xx.yy.97.82 address [below] is the ee0 interface.
The timestamps look a bit odd, but my greater concern is that traffic is
getting blocked.
If it's of any help, here is some state info from 'ipfstat -sl' [220 state
entries total]:

xxx.yy.96.81 -> xxx.yy.96.82 pass 0x40002642 pr 6 state 2/0 bkt 51
        44413 -> 9450 6fd48e01:0 65535<<4:1<<0
xxx.yy.97.81 -> xxx.yy.97.82 pass 0x40002642 pr 6 state 0/0 bkt 116
        44412 -> 9450 6fd19c01:0 65535<<4:1<<0
xxx.yy.96.81 -> xxx.yy.96.82 pass 0x40002642 pr 6 state 0/0 bkt 119
        44411 -> 9450 6fd0a201:0 65535<<4:1<<0
xxx.yy.9.86 -> xxx.yy.96.82 pass 0x40002642 pr 6 state 4/4 bkt 79
        1777 -> 22 d19d866f:238238e4 64320<<0:65535<<0
xxx.yy.96.32 -> xxx.yy.96.255 pass 0x40002642 pr 17 state 0/0 bkt 95
        tag 0 age 1552 138 -> 138
xxx.yy.96.103 -> xxx.yy.96.255 pass 0x40002642 pr 17 state 0/0 bkt 90
        tag 0 age 1400 138 -> 138
xxx.yy.96.31 -> xxx.yy.96.255 pass 0x40002642 pr 17 state 0/0 bkt 27
        tag 0 age 1333 138 -> 138
xxx.yy.96.102 -> xxx.yy.96.255 pass 0x40002642 pr 17 state 0/0 bkt 64
        tag 0 age 1319 138 -> 138

Thanks for any insights, I'm especially interested in comparisons from
other platforms - Jeff



[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic