ipv6 ipfilter + keep state bug? (releng_7)
Darren Reed
darrenr at freebsd.org
Sat Oct 27 12:01:15 PDT 2007
Peter Kieser wrote:
> Hello,
>
> I'm having similar issues (intermittent connectivity as if the dynamic
> rule table isn't being kept properly) using IP Filter with IPv6 and
> keep state rules as I was having with ipfw (see "ipfw2 keep-state +
> IPv6 on RELENG_7"), IPv4 keep state rules work as expected. I've
> verified that it is not infact a network problem (adding an "allow
> all" fixes the problem again).
>
> My rules are as follows, CVSup from today (Wed Oct 24 10:54:23 PDT),
> em0 is my external interface:
>
> pass in quick on lo0 all
> pass out quick on lo0 all
> pass out quick on em0 keep state
> pass in quick on em0 proto tcp from any to any port = 22
This is asking for trouble, regardless of which firewall you use.
For best performance, the "keep state" part should be triggered by
a rule that mentions the TCP SYN flag somewhere. So for IPFilter,
the rule should be:
pass in quick on em0 proto tcp from any to any port = 22 flags S keep state
(for inbound ssh) and for outboud ssh, you should have an explicit rule
like this for tcp:
pass out quick on em0 proto tcp all flags S keep state
If you don't trigger stateful filtering on SYN packets then the firewall
doesn't have
a chance to record the window scaling options that are present in the
SYN/SYN-ACK
packets at the start of a connection and thus can't correctly determine
if packets coming
later are inside or outside the TCP window.
Darren
More information about the freebsd-current
mailing list