Re[2]: Note: states with asymmetric routing
Stateful inspection on gateway can hamper tcp-connections, when inbound or outbound packets goes another route (i.e. when one of directions not goes thru gateway). kpo well, yeah. How is a firewall supposed to deduce state if it doesn't kpo see any replies? psychic deduction? You, totally, miss my point. I don't asking question, why PF behave this way. I am programmer, and I guess, can understand it enough. Only thing I want to do - just to notify PF developers and users, that stateful inspection seems to does not applicable for cases with asymmetric routing. Connection works fine on low rate, but fast transfers stops on each 64K (because suddenly PF stops passing packets). I guess, it is not bug, just some feature (like some tcp-window-related state protection). So think, is there reasons to correct this PF behavior. found something on man --8--- man pf.conf ---8- This has several advantages. Comparing a packet to a state involves checking its sequence numbers. If the sequence numbers are outside the narrow windows of expected values, the packet is dropped. This prevents spoofing attacks, such as when an attacker sends packets with a fake source address/port but does not know the connection's sequence numbers. --8--- man pf.conf ---8- kpo Correct? If you can design a prescient packet filter, then more kpo power to you. In general, prescience is hardware problem :) Seriously, there are couple of things can be done for solving such case, w/o prescience. Of course, ONLY if developers think that it's important enough. For example, it is posible, to make PF smart enough to detect asymmetric routing and turn off checks, that cannot be performed on such states. Or make ability to select more light inspection mode for such cases (w/ postfix like keep light-state :). Anyway, I can't and do not try to decide something for developers. Ilya A. Kovalenko (mailto:[EMAIL PROTECTED]) S.A. SpeciaEQ SW section JSC Oganer-Service
round-robin sticky-address
Following configuration is for load-balancing 2*2,3Mbit HDSL lines with
round-robin sticky-address features.
But I got this problem:
when there is few users- load balancing works great, but with 50 and
more users periodically stops working msn-messenger and anyone unable to
open any website, after couple of minutes all works fine for some time.
Then it starts again...
Strange is that ping works any time.
FreeBSD 5.3 RELEASE
ALTQ compiled in kernel
/etc/rc.conf
--
gateway_enable=YES
hostname=server.somewhere
ifconfig_xl0=inet 172.16.16.20 netmask 255.255.0.0
ifconfig_xl1=00.235.00.202
ifconfig_xl2=00.159.00.90
sshd_enable=YES
usbd_enable=NO
ntpd_enable=YES
inetd_enable=NO
kern_securelevel_enable=NO
sendmail_enable=NO
pf_enable=YES
---
# /etc/pf.conf
ext_if0=xl1 # external 0
ext_if1=xl2 # external 1
int_if=xl0 # internal network.
internal_net=172.16.0.0/16
external0_addr=00.235.00.202
external1_addr=00.159.00.90
ext_gw0=00.235.00.201
ext_gw1=00.159.00.89
set timeout src.track 60
scrub in all
nat on $ext_if0 from $internal_net to any - ($ext_if0)
nat on $ext_if1 from $internal_net to any - ($ext_if1)
block all
# pass all outgoing packets on internal interface
pass out on $int_if from any to $internal_net
# pass in quick any packets destined for the gateway itself
pass in quick on $int_if from $internal_net to $int_if
# load balance outgoing tcp traffic from internal network.
pass in on $int_if route-to { ($ext_if0 $ext_gw0), ($ext_if1 $ext_gw1) }
round-robin sticky-address proto tcp from $internal_net to any flags
S/SA modulate state
# load balance outgoing udp and icmp traffic from internal network
pass in on $int_if route-to { ($ext_if0 $ext_gw0), ($ext_if1 $ext_gw1) }
round-robin sticky-address proto { udp, icmp } from internal_net to any
keep state
# general pass out rules for external interfaces
pass out on $ext_if0 proto tcp from any to any flags S/SA modulate state
pass out on $ext_if0 proto { udp, icmp } from any to any keep state
pass out on $ext_if1 proto tcp from any to any flags S/SA modulate state
pass out on $ext_if1 proto { udp, icmp } from any to any keep state
# route packets from any IPs on $ext_if0 to $ext_gw0 and the same for
# $ext_if1 and $ext_gw1
pass out on $ext_if0 route-to ($ext_if1 $ext_gw1) from $ext_if1 to any
pass out on $ext_if1 route-to ($ext_if0 $ext_gw0) from $ext_if0 to any
# eof
Re: traffic leaking out on PPP connection
PM My firewall is pretty tight. I block all incoming by default and let out only certain PM destination ports. I'm currently filtering on external interface only. PM Now I decided to do a check on all outgoing traffic PM (filtering out of course the allowed ports) PM and I made an interesting discovery. PM I am on dial-up (PPP) with a Canadian ISP (Sympatico) and I PM am sending out regular replies to PM port 135. I figured this is due to PPP tunneling. In 15 PM minutes I was replying to about a PM dozen different IP addresses but they all resolve back to my ISPs servers (or clients?): These hosts, probably, infected w/ Lovesan (aka MS-blast) virus. It scans networks for vulnerable Windows boxes to infect. but you, should see it as incoming requests, than, your host replys. Ilya A. Kovalenkomailto:[EMAIL PROTECTED]
Re: Note: states with asymmetric routing
On Wed, 2004-11-24 at 01:32, Ilya A. Kovalenko wrote: Greetings, Just note. Stateful inspection on gateway can hamper tcp-connections, when inbound or outbound packets goes another route (i.e. when one of directions not goes thru gateway). Connection works fine on low rate, but fast transfers stops on each 64K (because suddenly PF stops passing packets). I guess, it is not bug, just some feature (like some tcp-window-related state protection). So think, is there reasons to correct this PF behavior. Thank you Ilya A. Kovalenko stateful firewalls are built on the premise that the firewall is in-line between client and server; and therefore, sees all requests/replies. asymmetric routing violates that premise; and therefore, all bets are off. if you *_must_* do this--allow states to be created on non-SYN packets (note: this is an *awful* idea). i will assume that you do not have delusions that this should work with NAT-ed connections, because it most certainly will not. -j -- Another day, another box of stolen pens. --The Simpsons
Re: traffic leaking out on PPP connection
--- Ilya A. Kovalenko [EMAIL PROTECTED] wrote: PM My firewall is pretty tight. I block all incoming by default and let out only certain PM destination ports. I'm currently filtering on external interface only. PM Now I decided to do a check on all outgoing traffic PM (filtering out of course the allowed ports) PM and I made an interesting discovery. PM I am on dial-up (PPP) with a Canadian ISP (Sympatico) and I PM am sending out regular replies to PM port 135. I figured this is due to PPP tunneling. In 15 PM minutes I was replying to about a PM dozen different IP addresses but they all resolve back to my ISPs servers (or clients?): These hosts, probably, infected w/ Lovesan (aka MS-blast) virus. It scans networks for vulnerable Windows boxes to infect. but you, should see it as incoming requests, than, your host replys. I do get, like everyone else, incoming requests due to the reason you give but this is the only port my firewall is responding to and I have no idea why except the hypothesis that it is due to some PPP tunneling being done by my ISP. Furthermore, I went to the Shields Up! site at https://grc.com/x/ne.dll?bh0bkyd2 and it scanned my IP and did not report *any* ports open. This is what I should expect. Peter __ Post your free ad now! http://personals.yahoo.ca
Re: PF question
On Nov 25, 2004, at 8:55 PM, William Gan wrote: I have a question regarding PF Internet - FW - Local Area Network | | IDS Is there a way of forwarding an incoming packets from the internet to two separate interface? The IDS has no IP address.. It only listen to incoming packets. man pf.conf, search for dup-to. -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net
Re: PF question
Gah, this is the 2nd time in a week I've cc'd the wrong list. Sorry. -J. On Nov 25, 2004, at 10:01 PM, Jason Dixon wrote: On Nov 25, 2004, at 8:55 PM, William Gan wrote: I have a question regarding PF Internet - FW - Local Area Network | | IDS Is there a way of forwarding an incoming packets from the internet to two separate interface? The IDS has no IP address.. It only listen to incoming packets. man pf.conf, search for dup-to. -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net
Re[2]: Note: states with asymmetric routing
JO i will assume that you do not have delusions that this should work with JO NAT-ed connections, because it most certainly will not. of course, it will not, because pf must alter both directions.
