kern/73202: IPF causing major tcp problems with 3rd party apps (apache, exim etc)

Giorgos Keramidas keramida at freebsd.org
Wed Oct 27 20:40:34 PDT 2004 

The following reply was made to PR kern/73202; it has been noted by GNATS.

From: Giorgos Keramidas <keramida at freebsd.org>
To: David Haworth <dave at fyonn.net>
Cc: bug-followup at freebsd.org
Subject: Re: kern/73202: IPF causing major tcp problems with 3rd party apps (apache, exim etc)
Date: Thu, 28 Oct 2004 06:34:57 +0300

 On 2004-10-27 22:20, David Haworth <dave at fyonn.net> wrote:
 > You're quite right, I should have pointed out that the firewall ruleset was
 > completely unchanged from the 5.1 config. I don't really want to post my
 > firewall config to a public forum so I'll enclose a suitably edited version.
 >
 >  this config worked fine with 5.1 and caused no problems.
 
 I think you have problems because of the unmatched `in' rules for some
 services that you make visible from outside.  I call these rules `unmatched'
 because there is no matching `out' rule to let the replies get out too:
 
 > block in log on vr0
 > block in log quick all with ipopts
 > block in quick all with frag
 > block in quick all with short
 > block in quick on vr0 proto tcp from any to any port = 135
 > [...]
 > pass in quick on vr0 proto tcp from any to $local_ip1 port = smtp
 > pass in quick on vr0 proto tcp from any to $local_ip1 port = http
 > pass in quick on vr0 proto tcp from any to $local_ip2 port = http
 > [...]
 
 This means that incoming packets for these ports are unconditionally allowed
 to pass through.  Nothing is said about outgoing packets, so the default
 policy is assumed.  You haven't set the default `out' policy for interface vr0
 in your ruleset so this can be either `pass' (the default) or `block' (if you
 have compiled your kernel with IPFILTER_DEFAULT_BLOCK).
 
 A few rules further down you have:
 
 > pass in quick on vr0 proto tcp from any to any port = 22 flags S keep state
 > pass out quick on vr0 proto tcp/udp from any to any keep state keep frags
 
 Your problems are very probably caused by this mixing of stateless and
 stateful rules.  Combined with the fact that you don't cover *all* possible
 cases of packets, this can be tricky.
 
 Try converting the stateless rules to stateful, i.e. replace this:
 
 > pass in quick on vr0 proto tcp from any to $local_ip1 port = smtp
 > pass in quick on vr0 proto tcp from any to $local_ip1 port = http
 > pass in quick on vr0 proto tcp from any to $local_ip2 port = http
 
 with something like this:
 
 > pass in quick on vr0 proto tcp from any to $local_ip1 port = smtp keep state
 > pass in quick on vr0 proto tcp from any to $local_ip1 port = http keep state
 > pass in quick on vr0 proto tcp from any to $local_ip2 port = http keep state
 
 Let us know if that fixes the problems you're seeing.
 
 Regards,
 Giorgos.

More information about the freebsd-bugs mailing list