Problems with IPFW causing failed DNS and FTP sessions

Michael Sierchio kudzu at tenebras.com
Mon Apr 1 04:59:06 UTC 2013 

I'll give you a more cogent reply tomorrow - if you use keep-state
rules, you want to be a little more specific - for tcp, you want
"allow tcp from X to Y setup keep-state" - i.e. you start the stateful
rule on packets that have the SYN flag set.  There are some other
oddities here - I'm guessing that the firewall rules are there to
protect this box itself...  in which case your stateful rules really
need only to consider "outbound" traffic, and to allow replies.  Let
me know if that assumption is erroneous.  More later.  Time for ZZZZ

- M

On Sun, Mar 31, 2013 at 9:33 PM, Don O'Neil <lists at lizardhill.com> wrote:
> Thanks for the response... here's my full rullset:
>
> # ipfw list
> 00100 check-state
> 00101 allow tcp from any to any established
> 00102 allow ip from any to any out keep-state
> 00103 allow icmp from any to any
> 00201 allow ip from any to any via lo0
> 00202 allow ip from any to 127.0.0.0/8
> 00203 allow ip from 127.0.0.0/8 to any
> 00204 deny tcp from any to any frag
> 00301 deny log logamount 50 ip from any to any ipoptions rr
> 00302 deny log logamount 50 ip from any to any ipoptions ts
> 00303 deny log logamount 50 ip from any to any ipoptions lsrr
> 00304 deny log logamount 50 ip from any to any ipoptions ssrr
> 00305 deny log logamount 50 tcp from any to any tcpflags syn,fin
> 00306 deny log logamount 50 tcp from any to any tcpflags syn,rst
> 01110 allow tcp from any to any dst-port 20 in
> 01111 allow tcp from any to any dst-port 20 out
> 01112 allow tcp from any to any dst-port 21 in
> 01113 allow tcp from any to any dst-port 21 out
> 01114 allow tcp from any to any dst-port 990 in
> 01115 allow tcp from any to any dst-port 990 out
> 01116 allow udp from any to any dst-port 990 in
> 01117 allow udp from any to any dst-port 990 out
> 01118 allow tcp from any to any dst-port 989 in
> 01119 allow tcp from any to any dst-port 989 out
> 01120 allow udp from any to any dst-port 989 in
> 01121 allow udp from any to any dst-port 989 out
> 01122 allow tcp from any to any dst-port 1024-65000 keep-state
> 01125 allow tcp from any to any dst-port 22 in
> 01126 allow tcp from any to any dst-port 22 out
> 01130 allow tcp from any to any dst-port 25 in
> 01131 allow tcp from any to any dst-port 25 out
> 01132 allow tcp from any to any dst-port 587 in
> 01133 allow tcp from any to any dst-port 587 out
> 01134 allow tcp from any to any dst-port 2525 in
> 01135 allow tcp from any to any dst-port 2525 out
> 01140 allow tcp from any to any dst-port 110 in
> 01141 allow tcp from any to any dst-port 110 out
> 01142 allow tcp from any to any dst-port 995 in
> 01143 allow tcp from any to any dst-port 995 out
> 01144 allow tcp from any to any dst-port 2110 in
> 01145 allow tcp from any to any dst-port 2110 out
> 01150 allow tcp from any to any dst-port 143 in
> 01151 allow tcp from any to any dst-port 143 out
> 01152 allow tcp from any to any dst-port 993 in
> 01153 allow tcp from any to any dst-port 993 out
> 01160 allow udp from any to any dst-port 53 in keep-state
> 01161 allow tcp from any to any dst-port 53 in keep-state
> 01162 allow udp from any to any dst-port 53 out keep-state
> 01163 allow tcp from any to any dst-port 53 out keep-state
> 01170 allow tcp from any to any dst-port 80 in
> 01171 allow tcp from any to any dst-port 80 out
> 01172 allow tcp from any to any dst-port 443 in
> 01172 allow tcp from any to any dst-port 443 out
> 01180 allow tcp from any to any dst-port 2222 in
> 01181 allow tcp from any to any dst-port 2222 out
> 65535 deny ip from any to any
>
>
> I've tried these rules;
>
> 01160 allow udp from any to any dst-port 53 in
> 01161 allow tcp from any to any dst-port 53 in
> 01162 allow udp from any to any dst-port 53 out
> 01163 allow tcp from any to any dst-port 53 out
>
> Without the keep-state option, and the problem is still persisting...
>
> The weird thing is that I've run these rules for a number of years without
> any issues until just recently. I've checked my interface stats to make sure
> there aren't a bunch of fragmented packets or errors, and there aren't. I'm
> not running NAT, it's a publically accessible IP address.
>
> -----Original Message-----
> From: Michael Sierchio [mailto:kudzu at tenebras.com]
> Sent: Sunday, March 31, 2013 8:58 PM
> To: Don O'Neil
> Cc: freebsd-questions at freebsd.org
> Subject: Re: Problems with IPFW causing failed DNS and FTP sessions
>
> It would be really helpful if you'd post the ruleset.
>
> At first glance, your stateful rules seem rather wrong, unless there's a
> check-state above.  Also, in and out aren't discriminating enough - every
> packet is seen by the ruleset more than once.  You should think in terms of
> interfaces, direction, etc.
>
> Are you doing NAT?  Stateful rules with NAT are indeed possible, but subtle.
>
> Your problem has nothing to do with server load, and probably everything to
> do with not-terribly-well-conceived ruleset.  Please post yours here.
>
> - M
>
> On Sun, Mar 31, 2013 at 8:34 PM, Don O'Neil <lists at lizardhill.com> wrote:
>> Hi everyone. recently my server started having issues with DNS and FTP
>> sessions either not resolving or timing out. I've tracked the issue
>> down to IPFW. if I issue a 'sysctl net.inet.ip.fw.enable=0' then my issues
> go away.
>>
>>
>>
>> I have the basic rules like this for dns;
>>
>>
>>
>> 01160 allow udp from any to any dst-port 53 in keep-state
>>
>> 01161 allow tcp from any to any dst-port 53 in keep-state
>>
>> 01162 allow udp from any to any dst-port 53 out keep-state
>>
>> 01163 allow tcp from any to any dst-port 53 out keep-state
>>
>>
>>
>> When I try an nslookup sometimes they fail, sometimes they get
>> through, even if I change my DNS server to google, my ISP, or even
>> OpenDNS. the firewall seems to be causing the issue.
>>
>>
>>
>> I have about 65 rules in all.
>>
>>
>>
>> Any ideas what could be causing this? My server load is low, usually
>> hovering around .2
>>
>>
>>
>> How can I look at the actual amount of traffic that the IPFW module is
>> processing and track down potential performance issues? My server
>> isn't pushing much data, only around 4-5 Mbps sustained.
>>
>>
>>
>> Thanks!
>>
>>
>>
>>
>>
>> _______________________________________________
>> freebsd-questions at freebsd.org mailing list
>> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
>> To unsubscribe, send any mail to
> "freebsd-questions-unsubscribe at freebsd.org"
>

More information about the freebsd-questions mailing list