'Re: [pfSense-discussion] Problem with FW states'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       pfsense-discussion
Subject:    Re: [pfSense-discussion] Problem with FW states
From:       Odette <odette.nsaka () libero ! it>
Date:       2006-12-19 15:20:33
Message-ID: 200612191620.35000.odette.nsaka () libero ! it
[Download RAW message or body]

Thanks Espen, I already tried what you are suggesting, but it didn't solve my 
problem.

I also tried to play with all the "Advanced" options reachable from the web 
interface. It seems some of them (e.g. state: none, max states, states 
timeout) don't work.

I've been able to analyze the network traffic: the situation is exactly the 
one I described in the first post (reported below): when a state ESTABLISHED 
exists because of a previous connection, the new SYN packet, coming from the 
same IP:PORT of the previously established connection, is blocked by PF, 
even if
- in FW rule page (firewall_rules_edit.php), ADVANCED options I set up PFSense 
not to keep the state (working on the state number, timout)
- in the FW rule page  (firewall_rules_edit.php) I set State Type to "none"

Furthermore, even if:

1.I set up the rule
	pass DEV:high-ports=>SRV:23   State Type none
2. I don't set up any rule to enable the SRV's replies to pass through the 
firewall
3. I reboot PFsense

I can establish new connections between DEV(:x) and SRV(:23).
I think this demonstrates that the "State Type none" option doesn't work. Does 
it.

Any suggestion on how to solve my problem or fix PFSense State none issue?

Once again, thanks in advance and MC&HNY to everybody.

Odette


Alle 15:30, lunedė 18 dicembre 2006, Espen Johansen ha scritto:
> You can try to set "Firewall optimization options" in the Advanced
> page to "aggressive" and see if that helps.
>
> -lsf
>
> On 12/15/06, Odette <odette.nsaka@libero.it> wrote:
> > Hi,
> >
> >   I'm not able to find a solution to this problem:
> >
> > I've got some devices on the WAN net that need to open telnet connections
> > to a telnet server on the LAN net. (OK, don't tell me anything about
> > incoming telnet from WAN. At the moment I need to go on this way... )
> > LAN is bridged with WAN.
> > I've set up the FW rules and everything works fine.
> >
> > But...
> >
> > It often happens that the devices need to be resetted while a telnet
> > connection is estabilished. In this case, when the device "reboots" I
> > have to wait many minutes to estabilish a telnet connection.
> >
> > Looking at the FW state logs, I see that every "regular" telnet
> > connection is coming from the x port of the device where x is everytime
> > the same.
> >
> > Every time the device reboots, the new connection, estabilished just
> > waiting many minutes, comes from port x+1. On the FWStates log, I see
> > that the old state is still active.
> >
> > If I delete the FW states table before rebooting the device, the new
> > connection after reboot is estabilished immediately.
> > Furthermore, if I connect the device directly on the LAN switch,
> > (excluding PFSense filtering), I can reboot the device and have the new
> > connection immediately.
> >
> > I have not been able to analyze the network traffic, but I suppose that
> > the device tries everytime to estabilish the telnet connection form port
> > x and this is happening
> >
> > 1. A connection is estabilished
> > 2. PFSense keeps an active state DEV:x ==> SRV:23
> > 3. Devicereboot
> > 4. Device tries to estabilish a new connection (Syn from DEV:x to SRV:23)
> > 5. PFSense knows from it's states table that a connection DEV:x ==>
> > SRV:23 is already estabilished and drops the new  DEV:x ==> SRV:23 Syn
> > packet 6. After some minutes the device reaches the time-out and tries a
> > new connection from port x+1. This new connection works fine.
> >
> > I've being trying to solve the problem by configuring PFSense
> > 1. inserting a new pass rule  SRV:23 ==> DEV:(x...x+5)
> > 2. not to keep (Firewall: Rules: Edit: State Type: (Advanced) None) the
> > state for the "pass" rules
> >    DEV:(x...x+5) ==> SRV:23
> >    SRV:23 ==> DEV:(x...x+5)
> >
> > It doesn't work, even after rebooting PFSense. Furthermore, I can see the
> > the state in the States table. So I suppose that the advanced option
> > "State type: none" doesn't work.
> >
> > I also tried to set a state timeout to 10 seconds. The same effect: I can
> > see the connection state on the active state table for a long time.
> >
> > Any suggestion-info-idea?
> >
> > Thanks in advance to everybody
> >
> > Odette

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic