I am using ipfilter 4.1.28 on FreeBSD 6.3 as a home firewall. On several occasions recently, ipfilter has suddenly started blocking NTP traffic between the firewall and an internal host. I haven't made any changes to either system. Can anyone explain what might be triggering this. Looking through my logs, there are no other obvious cases where packets are incorrectly blocked.
The firewall has relatively little traffic and 'ipfstat -s' doesn't report anything anomolous. The only possibly relevant thing I can see is that all the blockings started just after a 5-minute boundary and cron runs 'ipfs -W' every 5 minutes. I have previously bumped into a problem where 'ipfs -W' was blocking state-entry creation/updating whilst it ran and this was causing TCP connections to be dropped but here the problem is continuing well after 'ipfw -W' completes. Relevant ipfilter rules (as reported by ipfstat whilst the problem exists): # Group 10 pass in quick on fxp1 proto tcp from any to any keep state keep frags group 10 pass in quick on fxp1 proto udp from any to any keep state keep frags group 10 pass in quick on fxp1 proto icmp from any to any keep state keep frags group 10 block in log quick all group 10 Please excuse the long lines. ipmon logs output: Sep 29 19:58:35 fwall ipmon[603]: 19:58:35.270402 STATE:NEW 192.168.123.200,123 -> 192.168.123.123,123 PR udp Sep 29 19:59:52 fwall ipmon[603]: 19:59:51.611141 STATE:EXPIRE 192.168.123.200,123 -> 192.168.123.123,123 PR udp Forward: Pkts in 2 Bytes in 152 Pkts out 0 Bytes out 0 Backward: Pkts in 0 Bytes in 0 Pkts out 1 Bytes out 76 Sep 29 20:00:41 fwall ipmon[603]: 20:00:41.270090 STATE:NEW 192.168.123.200,123 -> 192.168.123.123,123 PR udp Sep 29 20:00:56 fwall ipmon[603]: 20:00:56.593122 STATE:EXPIRE 192.168.123.200,123 -> 192.168.123.123,123 PR udp Forward: Pkts in 1 Bytes in 76 Pkts out 0 Bytes out 0 Backward: Pkts in 0 Bytes in 0 Pkts out 1 Bytes out 76 Sep 29 20:02:50 fwall ipmon[603]: 20:02:50.270112 STATE:NEW 192.168.123.200,123 -> 192.168.123.123,123 PR udp Sep 29 20:04:09 fwall ipmon[603]: 20:04:09.533682 STATE:EXPIRE 192.168.123.200,123 -> 192.168.123.123,123 PR udp Forward: Pkts in 1 Bytes in 76 Pkts out 0 Bytes out 0 Backward: Pkts in 0 Bytes in 0 Pkts out 1 Bytes out 76 Sep 29 20:05:00 fwall ipmon[603]: 20:05:00.270131 fxp1 @10:4 b 192.168.123.200,123 -> 192.168.123.123,123 PR udp len 20 76 IN Sep 29 20:07:09 fwall ipmon[603]: 20:07:09.269806 fxp1 @10:4 b 192.168.123.200,123 -> 192.168.123.123,123 PR udp len 20 76 IN [blocking repeated until] Sep 30 16:01:49 fwall ipmon[603]: 16:01:48.988846 fxp1 @10:4 b 192.168.123.200,123 -> 192.168.123.123,123 PR udp len 20 76 IN Sep 30 16:18:52 fwall ipmon[603]: 16:18:51.987515 fxp1 @10:4 b 192.168.123.200,123 -> 192.168.123.123,123 PR udp len 20 76 IN Sep 30 16:20:57 fwall ipmon[603]: 16:20:57.028982 STATE:NEW 192.168.123.200,123 -> 192.168.123.123,123 PR udp Sep 30 16:21:10 fwall ipmon[603]: 16:21:10.135962 STATE:EXPIRE 192.168.123.200,123 -> 192.168.123.123,123 PR udp Forward: Pkts in 2 Bytes in 152 Pkts out 0 Bytes out 0 Backward: Pkts in 0 Bytes in 0 Pkts out 1 Bytes out 76 Sep 30 16:22:00 fwall ipmon[603]: 16:22:00.028550 STATE:NEW 192.168.123.200,123 -> 192.168.123.123,123 PR udp Sep 30 16:23:17 fwall ipmon[603]: 16:23:17.099838 STATE:EXPIRE 192.168.123.200,123 -> 192.168.123.123,123 PR udp Forward: Pkts in 2 Bytes in 152 Pkts out 0 Bytes out 0 Backward: Pkts in 0 Bytes in 0 Pkts out 1 Bytes out 76 Oct 2 14:28:58 fwall ipmon[603]: 14:28:57.822946 STATE:NEW 192.168.123.128,123 -> 192.168.123.123,123 PR udp Oct 2 14:30:00 fwall ipmon[603]: 14:30:00.405831 STATE:EXPIRE 192.168.123.128,123 -> 192.168.123.123,123 PR udp Forward: Pkts in 1 Bytes in 76 Pkts out 0 Bytes out 0 Backward: Pkts in 0 Bytes in 0 Pkts out 1 Bytes out 76 Oct 2 14:30:01 fwall ipmon[603]: 14:30:00.823044 fxp1 @10:4 b 192.168.123.128,123 -> 192.168.123.123,123 PR udp len 20 76 IN Oct 2 14:31:06 fwall ipmon[603]: 14:31:05.822704 fxp1 @10:4 b 192.168.123.128,123 -> 192.168.123.123,123 PR udp len 20 76 IN ... Oct 2 16:59:37 fwall ipmon[603]: 16:59:37.822184 fxp1 @10:4 b 192.168.123.128,123 -> 192.168.123.123,123 PR udp len 20 76 IN Oct 2 17:16:44 fwall ipmon[603]: 17:16:43.821356 fxp1 @10:4 b 192.168.123.128,123 -> 192.168.123.123,123 PR udp len 20 76 IN Oct 2 17:33:50 fwall ipmon[603]: 17:33:49.821395 STATE:NEW 192.168.123.128,123 -> 192.168.123.123,123 PR udp Oct 2 17:35:50 fwall ipmon[603]: 17:35:49.986601 STATE:EXPIRE 192.168.123.128,123 -> 192.168.123.123,123 PR udp Forward: Pkts in 1 Bytes in 76 Pkts out 0 Bytes out 0 Backward: Pkts in 0 Bytes in 0 Pkts out 0 Bytes out 0 I believe both these corrected themselves as I don't recall doing anything. Oct 9 01:43:57 fwall ipmon[603]: 01:43:56.793329 STATE:NEW 192.168.123.200,123 -> 192.168.123.123,123 PR udp Oct 9 01:44:28 fwall ipmon[603]: 01:44:27.459511 STATE:EXPIRE 192.168.123.200,123 -> 192.168.123.123,123 PR udp Forward: Pkts in 1 Bytes in 76 Pkts out 0 Bytes out 0 Backward: Pkts in 0 Bytes in 0 Pkts out 1 Bytes out 76 Oct 9 01:45:01 fwall ipmon[603]: 01:45:00.792919 fxp1 @10:4 b 192.168.123.200,123 -> 192.168.123.123,123 PR udp len 20 76 IN Oct 9 01:46:05 fwall ipmon[603]: 01:46:04.793509 fxp1 @10:4 b 192.168.123.200,123 -> 192.168.123.123,123 PR udp len 20 76 IN This time I reloaded ipfilter. And now this morning: Oct 11 01:58:56 fwall ipmon[603]: 01:58:56.794003 STATE:NEW 192.168.123.200,123 -> 192.168.123.123,123 PR udp Oct 11 01:59:12 fwall ipmon[603]: 01:59:12.389759 STATE:EXPIRE 192.168.123.200,123 -> 192.168.123.123,123 PR udp Forward: Pkts in 1 Bytes in 76 Pkts out 0 Bytes out 0 Backward: Pkts in 0 Bytes in 0 Pkts out 1 Bytes out 76 Oct 11 02:00:00 fwall ipmon[603]: 02:00:00.793672 fxp1 @10:4 b 192.168.123.200,123 -> 192.168.123.123,123 PR udp len 20 76 IN ... Oct 11 07:54:27 fwall ipmon[603]: 07:54:26.793149 fxp1 @10:4 b 192.168.123.200,123 -> 192.168.123.123,123 PR udp len 20 76 IN Oct 11 08:02:58 fwall ipmon[603]: 08:02:57.793191 STATE:NEW 192.168.123.200,123 -> 192.168.123.123,123 PR udp Oct 11 08:04:58 fwall ipmon[603]: 08:04:57.874975 STATE:EXPIRE 192.168.123.200,123 -> 192.168.123.123,123 PR udp Forward: Pkts in 1 Bytes in 76 Pkts out 0 Bytes out 0 Backward: Pkts in 0 Bytes in 0 Pkts out 0 Bytes out 0 Again, this corrected itself. -- Peter Jeremy Please excuse any delays as the result of my ISP's inability to implement an MTA that is either RFC2821-compliant or matches their claimed behaviour.
pgp0xPoD8FOMR.pgp
Description: PGP signature
