IPF and OOW problems

Sébastien A. VALSEMEY sebastien.valsemey at vsystems.eu
Mon Jun 12 12:00:12 UTC 2006 

Hello,

I currently have a FreeBSD 6.1-STABLE box configured as a router/firewall with ipfilter v4.1.8.

            <WAN>
          WAN_IP/32
              |
             tun0
              |
         |---------|
         | FreeBSD |
         |---------|
          /       \
        xl0       xl1
        /           \
     <LAN>         <DMZ>
192.168.0.0/24   DMZ_BLOCK/29

I often experience in my ipf logs such packet drops (the following example is for an active upload on a FTP server located on the
first IP of the DMZ network). My IPs have been voluntary hidden for privacy purposes.

ipmon[329]: 13:12:41.185263 tun0 @0:110 b REMOTE_WAN_IP,8600 -> DMZ_IP_1,20 PR tcp len 20 1300 -A IN OOW
ipmon[329]: 13:12:41.186493 tun0 @0:110 b REMOTE_WAN_IP,8600 -> DMZ_IP_1,20 PR tcp len 20 356 -AP IN OOW

Packet drop occurs a few seconds after the beginning of the transfer, even allowing a few kilobytes to be uploaded, which means that
the connection establishes well.

And on another hand, when I try to reach DMZ machines from the LAN (for example via RDP), I am systematically dropped with the same
kind of OOW packet, I mean the connection is not even established.

As ICMP is allowed on the whole network, I can traceroute and reach each host in the network, from inside and outside (except for
the natted LAN...). The IP masquerading for hosts located on LAN works perfectly as they can go on the Internet without any problem.

When I add the two following lines in my ipf ruleset, everything runs smoothly (but insecured!):
pass in quick all
pass out quick all

I heard that such problems occur with the same version of ipf on Solaris
(http://msgs.securepoint.com/cgi-bin/get/ipfilter-0605/28.html), but I am not sure it happens because of that.

What I did wrong?

Thank you by advance for your help.

Here are extracts from my main configuration files:

[/etc/rc.conf]
<... *snip*! ...>
firewall_enable="NO"
firewall_script="/etc/rc.firewall"
firewall_type="/etc/rc.firewall.rules"
firewall_logging="YES"
gateway_enable="YES"
icmp_drop_redirects="YES"
ifconfig_lo0="inet 127.0.0.1"
ifconfig_xl0="inet 192.168.0.254 netmask 255.255.255.0"
ifconfig_xl1="inet DMZ_IP_6 netmask 255.255.255.248"
ipfilter_enable="YES"
ipfilter_rules="/etc/ipf.rules"
ipnat_enable="YES"
ipnat_program="/sbin/ipnat"
ipnat_rules="/etc/ipnat.rules"
ipnat_flags=""
ipmon_enable="YES"
ipmon_program="/sbin/ipmon"
ipmon_flags="-Ds"
kern_securelevel="0"
kern_securelevel_enable="NO"
network_interfaces="lo0 xl0 xl1"
ppp_enable="YES"
ppp_mode="ddial"
ppp_nat="NO"
ppp_profile="My_ISP_PROFILE"
<... *snip*! ...>



[/etc/ipf.rules]
# Allow localhost traffic
pass in quick on lo0 all
pass out quick on lo0 all

# Allow all outgoing traffic from this gateway
pass out quick on tun0 from any to any keep state
pass out quick on tun0 proto tcp from any to any keep state
pass out quick on xl0 from any to 192.168.0.0/24 keep state
pass out quick on xl0 proto tcp from any to 192.168.0.0/24 keep state
pass out quick on xl1 from any to DMZ_BLOCK/29 keep state
pass out quick on xl1 proto tcp from any to DMZ_BLOCK/29 keep state

# Allow ICMP traffic (for testing purposes)
pass in quick on xl0 proto icmp from 192.168.0.0/24 to any keep state
pass in quick on xl1 proto icmp from DMZ_BLOCK/29 to any keep state
pass in quick on tun0 proto icmp from any to 192.168.0.0/24 keep state
pass in quick on tun0 proto icmp from any to DMZ_BLOCK/29 keep state
pass out quick proto icmp from any to any keep state

# Allow FTP server
pass in quick on tun0 proto tcp from any to DMZ_IP_1/32 port = ftp-data keep state
pass in quick on xl0 proto tcp from 192.168.0.0/24 to DMZ_IP_1/32 port = ftp-data keep state
pass in quick on tun0 proto tcp from any to DMZ_IP_1/32 port = ftp keep state
pass in quick on xl0 proto tcp from 192.168.0.0/24 to DMZ_IP_1/32 port = ftp keep state
# This is for the passive ports range...
pass in quick on tun0 proto tcp from any to DMZ_IP_1/32 port 4000 >< 4049 keep state
pass in quick on xl0 proto tcp from 192.168.0.0/24 to DMZ_IP_1/32 port 4000 >< 4049 keep state

# Allow Terminal services
pass in quick on tun0 proto tcp from any to DMZ_IP_1/32 port = rdp keep state
pass in quick on xl0 proto tcp from 192.168.0.0/24 to DMZ_IP_1/32 port = rdp keep state

# Default
block in log all
block return-rst in log proto tcp from any to any
block return-icmp-as-dest(port-unr) in log proto udp from any to any


[/etc/ipnat.rules]
map tun0 192.168.0.0/24  -> WAN_IP/32
map tun0 192.168.0.0/24  -> WAN_IP/32 portmap tcp/udp auto


[KERNEL_CONFIG]
device          bpf
options         IPFIREWALL
options         IPFIREWALL_VERBOSE
options         IPFIREWALL_DEFAULT_TO_ACCEPT
options         IPFILTER
options         IPFILTER_LOG
options         IPFILTER_DEFAULT_BLOCK
options         NETGRAPH
options         NETGRAPH_ETHER
options         NETGRAPH_PPP
options         NETGRAPH_PPPOE
options         NETGRAPH_SOCKET

More information about the freebsd-net mailing list