Re: IPFilter 4.1.33

Fri, 11 Sep 2009 08:31:27 -0700 

As that solution points out, the sniffer point of view can be
wrong due to hardware checksum offload - i.e. turn it off for
the tests, to make sure.

I think that you can try testing whether ipfilter is breaking
your packets/frames by loading it up with an empty set of rules,
or with ruleset like
  pass in quick all
  pass out quick all

As I wrote earlier, on my system whenever ipf module is loaded
and the ruleset is flushed or set even to allow-all example
above, the system disappears from traceroutes. I can "ping"
it however.

Concerning your problem, I have actually hit it with a Cisco
firewall sometime back. The problem is that your packets are
broadcasts, but your rulesets below seem to specify only the
specific subnet numbers.

In Cisco notation, the relevant working access-list rule
permissions look like:

access-list 100 remark -- Permit DHCP on Magistral
access-list 100 permit udp any any eq bootps
access-list 100 permit udp any eq bootps any
access-list 100 permit udp any any eq bootpc
access-list 100 permit udp any eq bootpc any

Hopefully, It won't take you over a minute to translate
these rules to ipf ;)

HTH,
//Jim

Steve Clark wrote:

On 08/22/2009 07:19 AM, Jim Klimov wrote:

I guess I figured it out somewhat, and searching the very
old archives did play a part in this.

http://www.mail-archive.com/[email protected]/msg07513.html

The tcpdump problems are cosmetic and related to hardware
checksum offloading. However, even after setting the flag
to zero and rebooting, the problem persists as in the
reproduction scenario quoted below.

That is, tcpdump on the router host no longer complains
about checksums in most cases, but some still persist i.e.

15:17:11.448413 08:00:27:f6:dc:bd>  00:e0:81:5e:9f:cb, ethertype
IPv4 (0x0800), length 60: (tos 0x0, ttl   1, id 32159, offset 0,
flags [none], proto: ICMP (1), length: 40) 192.168.186.250>
194.67.183.19: ICMP echo request, id 33306, seq 0, length 20

15:17:11.448450 00:e0:81:5e:9f:cb>  08:00:27:f6:dc:bd, ethertype
IPv4 (0x0800), length 82: truncated-ip - 17340 bytes missing!
(tos 0x0, ttl 255, id 39119, offset 512, flags [none],
proto: ICMP (1), length: 17408, bad cksum ec9a (->e89e)!)
192.168.186.2>  192.168.186.250: icmp

So I'm back into debugging the networking setup.

Jim Klimov wrote:

I forgot to mention that, like before, this system is a Sun
Fire X2100 (pre-M2) server with an nge and a bge couple of
interfaces, so most of OS interfaces are VLANs. The one in
question as the external connection certainly is, bge126000.

Maybe some hardcoded offset stuff breaks when Ethernet VLAN
tag bytes come into play?

Jim Klimov wrote:

Hello Darren et al,

I think I have a de-ja-vu again: with IPF 4.1.33 active my
firewall does not respond to pings while tracing through it.

This happens specifically after the rules are touched by
the driver, i.e. reproduction:
1) /etc/init.d/ipfilter stop
    - module is unloaded, my router responds to tracert
2) modload /usr/kernel/drv/ipf
    - host still responds
3) ipf -Fy
    - host stops responding even while the rule list is empty
    When I load rules which pass all packets in and out, host
    is still out of the traces.

Since other hosts "around" it respond to traces, it may be
that packets entering and exiting the system are mangled
in a similar manner, and packets originating or terminating
on the host are only mangled once - so they break. However
SSH to the machine works well, so there's something deeper
than that.

Seems this also breaks NAT. At the very least, it is not
working for me now (but packets don't panic the kernel
either, which is an improvement compared to my previous
experimental builds).

16:45:28.354506 IP (tos 0x0, ttl 127, id 1150, offset 0,
flags [DF], proto: TCP (6), length: 48) 93.175.31.2.1821
  >  193.169.34.3.22107: S, cksum 0x957f (correct),
738265398:738265398(0) win 64240<mss 1366,nop,nop,sackOK>

16:45:28.500340 IP (tos 0x0, ttl  64, id 42280, offset 0,
flags [DF], proto: TCP (6), length: 40, bad cksum 0 (->354a)!)
93.175.31.2.1821>  193.169.34.3.22107: R, cksum 0x0000
(incorrect (->  0xbcd2), 738265399:738265399(0) win 0










Hi Jim,

I am using IPFilter 4.1.32 on CentOS 5.3 linux kernel2.6.18-128.1.10.el5

Did you figure anything out on this:

15:17:11.448450 00:e0:81:5e:9f:cb>  08:00:27:f6:dc:bd, ethertype
IPv4 (0x0800), length 82: truncated-ip - 17340 bytes missing!
(tos 0x0, ttl 255, id 39119, offset 512, flags [none],
proto: ICMP (1), length: 17408, bad cksum ec9a (->e89e)!)
192.168.186.2>  192.168.186.250: icmp


I seeing a similar problem with bootp responses and dhclient it discarding
the response so I can't pull an address with ipf on.


/sbin/dhclient -cf /etc/dhclient.conf
Internet Systems Consortium DHCP Client V3.0.5-RedHat
Copyright 2004-2006 Internet Systems Consortium.
All rights reserved.
For info, please visit http://www.isc.org/sw/dhcp/

reason is PREINIT
interface is eth1
/etc/foxbox-dhclient-script: PREINIT for eth1
oldip is 192.168.198.178
Listening on LPF/eth1/00:02:b6:36:97:9f
Sending on   LPF/eth1/00:02:b6:36:97:9f
Sending on   Socket/fallback
DHCPREQUEST on eth1 to 255.255.255.255 port 67
DHCPREQUEST on eth1 to 255.255.255.255 port 67
DHCPREQUEST on eth1 to 255.255.255.255 port 67
DHCPDISCOVER on eth1 to 255.255.255.255 port 67 interval 4
DHCPDISCOVER on eth1 to 255.255.255.255 port 67 interval 10
5 bad IP checksums seen in 5 packets
DHCPDISCOVER on eth1 to 255.255.255.255 port 67 interval 8
DHCPDISCOVER on eth1 to 255.255.255.255 port 67 interval 14
DHCPDISCOVER on eth1 to 255.255.255.255 port 67 interval 12
DHCPDISCOVER on eth1 to 255.255.255.255 port 67 interval 10
5 bad IP checksums seen in 5 packets
DHCPDISCOVER on eth1 to 255.255.255.255 port 67 interval 3
No DHCPOFFERS received.
Trying recorded lease 192.168.198.178
reason is TIMEOUT
interface is eth1
/etc/foxbox-dhclient-script: TIMEOUT for eth1

[r...@z2966 ~]# tcpdump -nlvvi eth1 port 67 or port 68
tcpdump: listening on eth1, link-type EN10MB (Ethernet), capture size 96 bytes 10:15:58.095208 IP (tos 0x10, ttl 16, id 0, offset 0, flags [none], proto: UDP (17), length: 328) 0.0.0.0.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, Request from 00:02:b6:36:97:9f, length: 300, xid:0xe549556a, flags: [none] (0x0000) 
          Client Ethernet Address: 00:02:b6:36:97:9f [|bootp]
10:15:58.095922 IP truncated-ip - 23205 bytes missing! (tos 0x0, ttl 128, id 27103, offset 0, flags [none], proto: UDP (17), length: 23553, bad cksum 48c3 (->ee1d)!) 192.168.198.70.bootps > 255.255.255.255.bootpc: BOOTP/DHCP, Reply, length: 23525, xid:0xe549556a, flags: [none] (0x0000) 
          Your IP: 192.168.198.178
          Client Ethernet Address: 00:02:b6:36:97:9f [|bootp]
10:16:01.003339 IP (tos 0x10, ttl 16, id 0, offset 0, flags [none], proto: UDP (17), length: 328) 0.0.0.0.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, Request from 00:02:b6:36:97:9f, length: 300, xid:0xe549556a, secs:3, flags: [none] (0x0000) 
          Client Ethernet Address: 00:02:b6:36:97:9f [|bootp]
10:16:01.003851 IP truncated-ip - 23205 bytes missing! (tos 0x0, ttl 128, id 27115, offset 0, flags [none], proto: UDP (17), length: 23553, bad cksum 48b7 (->ee11)!) 192.168.198.70.bootps > 255.255.255.255.bootpc: BOOTP/DHCP, Reply, length: 23525, xid:0xe549556a, flags: [none] (0x0000) 
          Your IP: 192.168.198.178
          Client Ethernet Address: 00:02:b6:36:97:9f [|bootp]
10:16:05.064004 IP truncated-ip - 19635 bytes missing! (tos 0x0, ttl 128, id 0, offset 0, flags [none], proto: UDP (17), length: 19969, bad cksum 39a0 (->ecec)!) 0.0.0.0.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, Request from 00:1e:68:5e:b2:5f, length: 19941, xid:0x56f3cba3, flags: [Broadcast] (0x8000) 
          Client Ethernet Address: 00:1e:68:5e:b2:5f [|bootp]



Now with ipfilter off via ipf -Fa:

/sbin/dhclient -cf /etc/dhclient.conf
Internet Systems Consortium DHCP Client V3.0.5-RedHat
Copyright 2004-2006 Internet Systems Consortium.
All rights reserved.
For info, please visit http://www.isc.org/sw/dhcp/

reason is PREINIT
interface is eth1
/etc/foxbox-dhclient-script: PREINIT for eth1
oldip is 192.168.198.178
Listening on LPF/eth1/00:02:b6:36:97:9f
Sending on   LPF/eth1/00:02:b6:36:97:9f
Sending on   Socket/fallback
DHCPREQUEST on eth1 to 255.255.255.255 port 67
DHCPACK from 192.168.198.70
reason is REBOOT
interface is eth1
/etc/foxbox-dhclient-script: REBOOT for eth1
oldip is 192.168.198.178
/etc/foxbox-dhclient-script: IP Address 192.168.198.178
/etc/foxbox-dhclient-script: Subnet Mask 255.255.255.0
/etc/foxbox-dhclient-script: Default Router 192.168.198.252
/etc/foxbox-dhclient-script: DNS Servers 192.168.198.70 192.168.198.72 192.168.192.26 192.168.198.215 192.168.198.205 
bound to 192.168.198.178 -- renewal in 216727 seconds.


[r...@z2966 ~]# uname -a
Linux Z2966.tester.com 2.6.18-128.1.10.el5 #1 SMP Thu May 7 10:39:21 EDT 2009 i586 i586 i386 GNU/Linux 
[r...@z2966 ~]# tcpdump -nlvvi eth1 port 67 or port 68
tcpdump: listening on eth1, link-type EN10MB (Ethernet), capture size 96 bytes 10:21:52.499996 IP (tos 0x10, ttl 16, id 0, offset 0, flags [none], proto: UDP (17), length: 328) 0.0.0.0.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, Request from 00:02:b6:36:97:9f, length: 300, xid:0x2f43b119, flags: [none] (0x0000) 
          Client Ethernet Address: 00:02:b6:36:97:9f [|bootp]
10:21:52.500840 IP (tos 0x0, ttl 128, id 28479, offset 0, flags [none], proto: UDP (17), length: 348) 192.168.198.70.bootps > 255.255.255.255.bootpc: BOOTP/DHCP, Reply, length: 320, xid:0x2f43b119, flags: [none] (0x0000) 
          Your IP: 192.168.198.178
          Client Ethernet Address: 00:02:b6:36:97:9f [|bootp]



IPF rules:

block in log from any to any
block in log quick from any to any with short
pass in quick on lo from any to any
pass out quick on lo from any to any
pass out proto tcp from any to any flags S/S keep state
pass out proto udp from any to any keep state
pass out proto icmp from any to any keep state
block in on eth1 from 10.0.0.0/8 to any
block in on eth1 from 172.16.0.0/12 to any
block in on eth1 from 192.168.0.0/16 to any
block in on eth1 from 10.254.1.4/32 to any
block in on eth1 from 10.254.1.0/24 to any
pass in quick on eth0 proto tcp from 10.254.1.0/24 port > 1023 to 10.254.1.4/32 port = 22 keep state pass in quick on eth0 proto tcp from 10.254.1.0/24 port > 1023 to 10.254.1.4/32 port = 8081 keep state pass in quick on eth0 proto icmp from 10.254.1.0/24 to 10.254.1.4/32 icmp-type 8 keep state pass in quick on eth0 proto udp from 10.254.1.0/24 port >= 1024 to 10.254.1.4/32 port = 161 keep state pass in quick on eth0 proto udp from 10.254.1.0/24 port >= 1024 to 10.254.1.4/32 port = 162 keep state pass in quick proto tcp from 10.254.1.0/24 port > 1023 to any port = 23 keep state pass in quick proto tcp from 10.254.1.0/24 port > 1023 to any port = 21 keep state pass in quick proto tcp from 10.254.1.0/24 port = 20 to any port > 1023 keep state pass in quick proto tcp from 10.254.1.0/24 port > 1023 to any port = 119 keep state pass in quick proto udp from 10.254.1.0/24 port = 137 to 10.254.1.255/32 port = 137 keep state pass in quick proto udp from 10.254.1.0/24 port = 138 to 10.254.1.255/32 port = 138 keep state pass in quick proto tcp from 10.254.1.0/24 port > 1023 to 10.254.1.255/32 port = 139 keep state pass in quick proto tcp from 10.254.1.0/24 port > 1023 to any port = 80 keep state pass in quick proto tcp from 10.254.1.0/24 port > 1023 to any port = 443 keep state pass in quick proto tcp from 10.254.1.0/24 port > 1023 to 10.254.1.4/32 port = 25 keep state pass in quick proto tcp from 10.254.1.0/24 port > 1023 to 10.254.1.4/32 port = 110 keep state pass in quick proto tcp from 10.254.1.0/24 port > 1023 to 10.254.1.4/32 port = 143 keep state pass in quick proto tcp from any port > 1023 to 10.254.1.4/32 port = 25 keep state pass in quick proto udp from 10.254.1.0/24 port > 1023 to 10.254.1.4/32 port = 53 keep state pass in quick proto udp from 10.254.1.0/24 port = 53 to 10.254.1.4/32 port = 53 keep state pass in quick proto udp from 10.254.1.0/24 port = 137 to 10.254.1.4/32 port = 137 keep state pass in quick proto udp from 10.254.1.0/24 port = 138 to 10.254.1.4/32 port = 138 keep state pass in quick proto tcp from 10.254.1.0/24 port > 1023 to 10.254.1.4/32 port = 139 keep state pass in quick proto tcp from 10.254.1.0/24 port > 1023 to 10.254.1.4/32 port = 8080 keep state 
pass in quick proto icmp from any to 10.254.1.4/32 keep state
pass in quick proto tcp from any port > 1023 to 10.254.1.4/32 port = 80 keep state pass in quick on eth1 proto tcp from any port > 1023 to 192.168.198.178/32 port = 22 keep state pass in quick on eth1 proto tcp from any port > 1023 to 192.168.198.178/32 port = 8081 keep state pass in quick on eth1 proto icmp from any to 192.168.198.178/32 icmp-type 8 keep state pass in quick on eth1 proto udp from any port >= 1024 to 192.168.198.178/32 port = 161 keep state pass in quick on eth1 proto udp from any port >= 1024 to 192.168.198.178/32 port = 162 keep state 


--


+============================================================+
|                                                            |
| Климов Евгений,                                 Jim Klimov |
| технический директор                                   CTO |
| ЗАО "ЦОС и ВТ"                                  JSC COS&HT |
|                                                            |
| +7-903-7705859 (cellular)          mailto:[email protected] |
|                          CC:[email protected],[email protected] |
+============================================================+
| ()  ascii ribbon campaign - against html mail              |
| /\                        - against microsoft attachments  |
+============================================================+

Reply via email to