Sticky pf(4)-like feature in ipfw?

Max Laier max at love2party.net
Tue Feb 8 15:44:08 PST 2005 

On Wednesday 09 February 2005 00:01, Luigi Rizzo wrote:
> the 'state only based on the 3-tuple' as you describe it
> is certainly an interesting feature. It is slightly more expensive
> to implement than what i thought at first, because you should
> do two hash computations and lookups (one on the 5-tuple, one
> on the 3-tuple) on each packet trying to match a dynamic rule.
>
> i just wonder why it is named 'sticky' in pf
> which is not really very indicative of what the function does.

It's actually called "sticky-address" and applies to all rules that select 
addresses from a pool.  It is called that way as things work a bit different 
in PF.  You'd have a forwarding rule that selects addresses from a pool as 
equivalent to the "prob .5 skip-to" in IPFW.  The state matching isn't 
affected at all (i.e. if you do stateful matching PF still performs 5-tuple 
matching).  The "sticky-address" option on the pool, however, ensures that 
the next time a certain client needs to be forwarded it gets the same 
translation address.

As you said, you have to be careful with only 3-tuple states as it might open 
to injection attacks and thus allow evildoers to bypass the firewall.

> 	cheers
> 	luigi
>
> On Tue, Feb 08, 2005 at 05:45:59PM +0200, Chris Dionissopoulos wrote:
> > Hi,
> > I think of adding a new feature in (my local copy) ipfw (releng5) so that
> > it makes also sticky match when forwarding broken protocols like ftp,
> > h.323, sip, etc.
> > Its inspired from pf(4) sticky feature as is.The general usage will be
> > for "skipto" forwarding rules as shown in example below:
> >
> > Network ASCII-ART:
> >
> > Gateway1   Gateway2
> >
> > ---------------- 192.168.1.0/24
> >
> > [Freebsd-ipfw]
> >
> > ---------------- 192.168.3.0/24
> >
> > ipfw.sh:
> > ~~~~~~~~~~~~~~~~~~~~~~
> > #!/bin/sh
> > fwcmd="/sbin/ipfw"
> > pass="skipto 65535"
> >
> > gateway_mac1 ="00:0e:2e:03:36:23"
> > gateway_mac2 ="00:0e:2e:03:37:23"
> > gateway1="192.168.1.2"
> > gateway2 ="192.168.1.1"
> >
> > lan_network = "192.168.3.0/24"
> > broken="20,21,1720,6667,4600-4700"
> >
> > #CHECK STATES.
> > ${fwcmd} add 100 check-state
> >
> > # INCOMING TRAFFIC
> > ${fwcmd} add 1100 skipto 10100 ip from any to any mac any
> > ${gateway_mac1}in recv rl0 keep-state
> > ${fwcmd} add 1200 skipto 10200 ip from any to any mac any
> > ${gateway_mac1}in recv rl0 keep-state
> >
> > #OUTGOING + NOT-YET-STATED PACKETS BROKEN PROTOCOLS [LB 50%-50%]
> > ${fwcmd} add 2000 prob 0.5 skipto 10101 tcp from ${lan_network}to not
> > ${lan_network} dst-port ${broken} in recv rl1 keep-sticky
> > ${fwcmd} add 2001 skipto 10201 tcp from ${lan_network}to not
> > ${lan_network}dst-port ${broken} in recv rl1 keep-sticky
> >
> > #OUTGOING  + NOT-YET-STATED PACKETS (BALANCE) [LB 50%-50%]
> > ${fwcmd} add 2100 prob 0.5 skipto 10101 ip from ${lan_network}to not
> > ${lan_network}in recv rl1 keep-state
> > ${fwcmd} add 2101 skipto 10201 ip from ${lan_network}to not
> > ${lan_network}in recv rl1 keep-state
> >
> > #DRIVE OUTGOING TRAFFIC TO GATEWAY1. JUST PASS OTHER
> > ${fwcmd} add 10100 fwd ${gateway1} ip from ${lan_network} to not
> > ${lan_network} in recv rl1
> > ${fwcmd} add 10110 ${pass} ip from any to any
> >
> > #DRIVE OUTGOING TRAFFIC TO GATEWAY2. JUST PASS OTHER
> > ${fwcmd} add 10200 fwd ${gateway2} ip from ${lan_network} to not
> > ${lan_network} in recv rl1
> > ${fwcmd} add 10210 ${pass} ip from any to any
> >
> > ~~~~~~~~~~~~~~~~~~~~~~
> >
> >
> > "keep-sticky" main difference with "keep-state" is just relaxed state
> > matching
> > using only proto+(src_ip+dst_ip) and proto+reversed(src_ip+dst_ip), and
> > not (scr_ip:src_port + dst_ip:dst_port) straight and reversed
> > (=keep-state/limit).
> >
> > My question :
> > Does anyone has already working on such feature?
> > Cause its pretty easy to implement(*) "keep-sticky", does any of
> > ipfw developers planning to add such feature in near future?
> >
> >
> > Thanks,
> > Chris.
> >
> >
> > (*)
> > 1.  TOK_KEEPSTICKY in  /usr/src/sbin/ipfw/ipfw2.c
> >     O_KEEP_STICKY in /usr/src/sys/netinet/ip_fw.h
> >     and copy TOK_KEEPSTATE+O_KEEPSTATE code
> >     as a new case of cmd+rule argument.
> > 2. Some changes in "lookup_dyn_rule_locked" function of
> > /usr/src/sys/netinet/ip_fw2.c to make a more relaxed state
> > when "keep-sticky" is enabled.
> >
> >
> >
> >
> >
> >
> >
> > ____________________________________________________________________
> > http://www.freemail.gr - dwrean upyresia ylektronikou taxudromeiou.
> > http://www.freemail.gr - free email service for the Greek-speaking.
> > _______________________________________________
> > freebsd-net at freebsd.org mailing list
> > http://lists.freebsd.org/mailman/listinfo/freebsd-net
> > To unsubscribe, send any mail to "freebsd-net-unsubscribe at freebsd.org"
>
> _______________________________________________
> freebsd-net at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-net
> To unsubscribe, send any mail to "freebsd-net-unsubscribe at freebsd.org"

-- 
/"\  Best regards,                      | mlaier at freebsd.org
\ /  Max Laier                          | ICQ #67774661
 X   http://pf4freebsd.love2party.net/  | mlaier at EFnet
/ \  ASCII Ribbon Campaign              | Against HTML Mail and News
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-ipfw/attachments/20050209/b5505cba/attachment.bin

More information about the freebsd-ipfw mailing list