Wed, 24 Oct 2018 21:42:00 +0300 - "Andrey V. Elsukov" <bu7c...@yandex.ru>:
> On 24.10.2018 19:22, Ole wrote:
> > # ipfw -d list
> > (...)
> > 01510 allow tcp from any to xx.xx.xx.xx 6514 out via epair0b setup
> > keep-state :default (...)
> > ## Dynamic rules (1 152):
> > 01510 STATE tcp yy.yy.yy.yy 54451 <-> xx.xx.xx.xx 6514 :default
> >
> > # ipfw -q flush
> >
> > # ipfw -d list
> > 65535 allow ip from any to any
> > ## Dynamic rules (2 288):
> > Segmentation fault (core dumped)
> This problem is related to named states, the kernel doesn't dump list
> of known states names, and this is the cause of SIGSEGV.
Ok, I got a little bit confused.
I was searching for a workaround. So I changed the rules from
$cmd 01610 allow tcp from vpn.example.org to me 22 in via $pif setup
limit src-addr 50
to
$cmd 01610 allow tcp from vpn.example.org to me 22 in via $pif
keep-state
In my understanding of the IPFW(8) the 'setup' command puts new entries
to the dynamic table if there
" Matches TCP packets that have the SYN bit set but no ACK bit."
So if there new TCP connection establishment. That is the reason why
connections get broken after reload. (inkluding flush)
My idea was just to use 'keep-state'. Because this also puts new entries
to the dynamic table. But for every package.
" Upon a match, the firewall will create a dynamic rule,
whose default behaviour is to match bidirectional traffic between
source and destination IP/port using the same protocol."
But after reload. The dynamic rules are gone, and they will not get
updated. TCP connections get broken.
Intresting: if I set 'sysctl net.inet.ip.fw.dyn_keep_states=1' the
firewall behaves like I expected above. But not because dynamic rules
got recreated. The don't get flushed:
# ipfw -da list
(...)
01610 223 26457 (282s) STATE tcp xx.xx.xx.xx 36955 <-> xx.xx.xx.xx 22 :default
(...)
# service ipfw restart
Firewall rules loaded.
# ipfw -da list
(...)
01610 223 26457 (278s) STATE tcp xx.xx.xx.xx 36955 <-> xx.xx.xx.xx 22 :default
(...)
So do you think the bug is only related to 'setup' and not to 'keep-state'
rules? Or is this just a coincidence?
Im reloading rules now for 1h each minute, and a ssh connection is still stable.
> I have the WIP patch https://people.freebsd.org/~ae/keep_states.diff
> It fixes this problem and also add support for all rule actions.
> Also it adds new -D flag, that allows to show only states and delete
> only states. I have tested it basically, but it probably needs some
> work related to "limit" dynamic states.
> So if you want to test some patches, you can try :)
> I tried to apply the patch and observed that stable/11 has a small
> difference in UMA code, so you need to use this patch:
> https://people.freebsd.org/~ae/keep_states11.diff
>
> Again, I did not yet teseted it widely, and on stable/11 did not
> tested at all.
Great, thanks I will give it a try in a testing setup!
regards
Ole
pgpDLC9ctgu8q.pgp
Description: Digitale Signatur von OpenPGP
