Ipf problem

Giorgos Keramidas keramida at ceid.upatras.gr
Fri Jan 6 06:06:44 PST 2006 

On 2006-01-06 00:17, Jacob S <stormspotter at 6Texans.net> wrote:
> Hello list,
>
> I'm having a problem setting up ipf on a FreeBSD server and can't
> figure out where I'm going wrong. I copied my ipf.rules file from
> another server I have where ipf is working great. But after I
> customized the rules to this server it is filling /var/log/messages
> with lines like the following:
>
> Jan  4 15:15:21 pikeman ipmon[222]: 15:15:21.465822 2x em0 @0:33 b
> 198.32.64.12,53 -> 65.19.150.68,62097 PR udp len 20
> 314 IN Jan  4 15:15:21 pikeman ipmon[222]: 15:15:21.492578 em0 @0:33 b
> 216.200.145.35,25 -> 65.19.150.68,57210 PR tcp len 20 60 -AS IN Jan  4
> 15:15:21 pikeman ipmon[222]: 15:15:21.505821 em0 @0:33 b
> 205.188.156.249,25 -> 65.19.150.68,57209 PR tcp len 20 48 -AS IN

Your rules seem to be (numbered by running a script like the following
in your ipf.rules file):

    echo 'incoming traffic rules:'
    echo ''
    grep '^[^#].* in ' ipf.rules | cat -n
    echo ''
    echo 'outgoing traffic rules:'
    echo ''
    grep '^[^#].* out ' ipf.rules | cat -n

+-------------------------------------------------------------------------
|incoming traffic rules:
|
|     1  pass in quick on lo0 all
|     2  block in quick on em0 from 192.168.0.0/16 to any    #RFC 1918 private IP
|     3  block in quick on em0 from 172.16.0.0/12 to any     #RFC 1918 private IP
|     4  block in quick on em0 from 10.0.0.0/8 to any        #RFC 1918 private IP
|     5  block in quick on em0 from 127.0.0.0/8 to any       #loopback
|     6  block in quick on em0 from 0.0.0.0/8 to any         #loopback
|     7  block in quick on em0 from 169.254.0.0/16 to any    #DHCP auto-config
|     8  block in quick on em0 from 192.0.2.0/24 to any      #reserved for docs
|     9  block in quick on em0 from 204.152.64.0/23 to any   #Sun cluster interconnect
|    10  block in quick on em0 from 224.0.0.0/3 to any       #Class D & E multicast
|    11  block in quick on em0 all with frags
|    12  block in quick on em0 proto tcp all with short
|    13  block in quick on em0 all with opt lsrr
|    14  block in quick on em0 all with opt ssrr
|    15  block in log first quick on em0 proto tcp from any to any flags FUP
|    16  block in quick on em0 all with ipopts
|    17  block in quick on em0 proto tcp from any to any port = 113
|    18  block in log first quick on em0 proto tcp/udp from any to any port = 137
|    19  block in log first quick on em0 proto tcp/udp from any to any port = 138
|    20  block in log first quick on em0 proto tcp/udp from any to any port = 139
|    21  block in log first quick on em0 proto tcp/udp from any to any port = 81
|    22  pass in quick on em0 proto tcp from any to any port = 21 flags S keep state
|    23  pass in quick on em0 proto tcp from any to any port = 22 flags S keep state
|    24  pass in quick on em0 proto tcp from any to any port = 25 flags S keep state
|    25  pass in quick on em0 proto tcp from any to any port = 53 flags S keep state
|    26  pass in quick on em0 proto udp from any to any port = 53 keep state
|    27  pass in quick on em0 proto tcp from any to any port = 110 flags S keep state
|    28  pass in quick on em0 proto tcp from any to any port = 628 flags S keep state
|    29  pass in quick on em0 proto tcp from 65.19.150.66 to any flags S keep state
|    30  pass in quick on em0 proto udp from 65.19.150.66 to any keep state
|    31  pass in quick on em0 proto tcp from 66.252.129.164 to any flags S keep state
|    32  pass in quick on em0 proto tcp from 66.252.129.165 to any flags S keep state
|    33  block in log first quick on em0 all
|
|outgoing traffic rules:
|
|     1  pass out quick on lo0 all
|     2  pass out quick on em0 proto tcp from any to 65.19.150.66 port = 53 flags S keep state
|     3  pass out quick on em0 proto udp from any to 65.19.150.66 port = 53 keep state
|     4  pass out quick on em0 proto tcp from any to any port = 80 flags S keep state
|     5  pass out quick on em0 proto tcp from any to any port = 443 flags S keep state
|     6  pass out quick on em0 proto tcp from any to any port = 110 flags S keep state
|     7  pass out quick on em0 proto tcp from any to any port = 25 flags S keep state
|     8  pass out quick on em0 proto tcp from any to any port = 37 flags S keep state
|     9  pass out quick on em0 proto tcp from any to any port = 119 flags S keep state
|    10  pass out quick on em0 proto tcp from any to any port = 21 flags S keep state
|    11  pass out quick on em0 proto tcp from any to any port = 22 flags S keep state
|    12  pass out quick on em0 proto tcp from any to any port = 23 flags S keep state
|    13  pass out quick on em0 proto tcp from any to any port = 5999 flags S keep state
|    14  pass out quick on em0 proto icmp from any to any icmp-type 8 keep state
|    15  pass out quick on em0 proto tcp from any to any port = 43 flags S keep state
+-------------------------------------------------------------------------

The blocked packets fall through the chain of rules and end up in rule
0:33 (0 = incoming, 33 = block in log first quick on em0 all).

> The lines scroll by faster than I can read them, if I tail the logfile.
> The blocked packets in this case are coming from standard ports to
> non-standard ports. Doing a reverse lookup on the ips, it would seem
> that my server has initiated the transfer and the other servers are
> simply replying. (I deduce that from the blocked ips because they belong
> to hostnames that I would not expect to be flooding my server. Namely,
> the first ip is for l.root-servers.net.)

This seems to be an issue with the timeout of rule states.  What do you
see if you run...

    $ sysctl -a | fgrep ipf.

it should be something like:

    net.inet.ipf.fr_minttl: 4
    net.inet.ipf.fr_chksrc: 0
    net.inet.ipf.fr_defaultauthage: 600
    net.inet.ipf.fr_authused: 0
    net.inet.ipf.fr_authsize: 32
    net.inet.ipf.ipf_hostmap_sz: 2047
    net.inet.ipf.ipf_rdrrules_sz: 127
    net.inet.ipf.ipf_natrules_sz: 127
    net.inet.ipf.ipf_nattable_sz: 2047
    net.inet.ipf.fr_statemax: 4013
    net.inet.ipf.fr_statesize: 5737
    net.inet.ipf.fr_running: 1
    net.inet.ipf.fr_ipfrttl: 120
    net.inet.ipf.fr_defnatage: 1200
    net.inet.ipf.fr_icmptimeout: 120
    net.inet.ipf.fr_udpacktimeout: 24
    net.inet.ipf.fr_udptimeout: 240
    net.inet.ipf.fr_tcpclosed: 120
    net.inet.ipf.fr_tcptimeout: 480
    net.inet.ipf.fr_tcplastack: 480
    net.inet.ipf.fr_tcpclosewait: 480
    net.inet.ipf.fr_tcphalfclosed: 14400
    net.inet.ipf.fr_tcpidletimeout: 864000
    net.inet.ipf.fr_active: 0
    net.inet.ipf.fr_pass: 134217730
    net.inet.ipf.fr_flags: 0

More information about the freebsd-questions mailing list