Problems with stateful filtering in 4.1.20

To:	ipfilter@coombs.anu.edu.au
Subject:	Problems with stateful filtering in 4.1.20
From:	Martti Kuparinen <martti.kuparinen@iki.fi>
Date:	Thu, 10 May 2007 13:46:38 +0300
Cc:	darrenr@reed.wattle.id.au
Delivered-to:	sp-com-lists@consult.net
Delivered-to:	ipfilter-list@securepoint.com
Sender:	owner-ipfilter@coombs.anu.edu.au
User-agent:	Thunderbird 1.5.0.10 (X11/20070403)

Hi,

After upgrading to the latest NetBSD/amd64 4.0_BETA2 (and therefore to IPF4.1.20) I'm getting a lot of these errors. Before the upgrade (IPF 4.1.13)everything was working just fine.

May 10 10:20:48 p130 ipmon[377]: 10:20:48.692051 bnx0 @0:37 bd146.mydomain.com[xxx.xxx.xxx.146],smtp ->p130.mydomain.com[xxx.xxx.xxx.130],52997 PR tcp len 20 52 -A INMay 10 10:20:49 p130 ipmon[377]: 10:20:49.684257 bnx0 @0:37 bd146.mydomain.com[xxx.xxx.xxx.146],smtp ->p130.mydomain.com[xxx.xxx.xxx.130],52997 PR tcp len 20 52 -AF INMay 10 10:20:49 p130 ipmon[377]: 10:20:49.694822 bnx0 @0:37 bd146.mydomain.com[xxx.xxx.xxx.146],smtp ->p130.mydomain.com[xxx.xxx.xxx.130],52997 PR tcp len 20 64 -A INMay 10 10:20:51 p130 ipmon[377]: 10:20:51.684376 bnx0 @0:37 bd146.mydomain.com[xxx.xxx.xxx.146],smtp ->p130.mydomain.com[xxx.xxx.xxx.130],52997 PR tcp len 20 52 -AF INMay 10 10:20:51 p130 ipmon[377]: 10:20:51.703369 bnx0 @0:37 bd146.mydomain.com[xxx.xxx.xxx.146],smtp ->p130.mydomain.com[xxx.xxx.xxx.130],52997 PR tcp len 20 64 -A IN

In this case p130 contacted d146's SMTP port but some of the return packets areblocked. On p130 I have these rules:



# Incoming SMTP to this host
pass in  quick proto tcp from any to xxx.xxx.xxx.130 port = 25
pass out quick proto tcp from xxx.xxx.xxx.130 port = 25 to any
pass in  quick proto tcp from any to xxx.xxx.xxx.130 port = 465
pass out quick proto tcp from xxx.xxx.xxx.130 port = 465 to any

# Outgoing traffic
pass out quick proto tcp  from any to any flags S keep state keep frags
pass out quick proto udp  from any to any keep state keep frags
pass out quick proto icmp from any to any icmp-type 8 keep state

# Block and log everything else
block return-rst in log quick proto tcp from any to any flags S
block            in log quick proto tcp from any to any
block return-icmp-as-dest (port-unr) in log quick proto udp from any to any
block in  log quick all
block out log quick all


In this case rule 0:37 is

@37 block in log quick proto tcp from any to any
@38 block return-icmp-as-dest(port-unr) in log quick proto udp from any to any
@39 block in log quick all


How should I debug this?

Martti

<Prev in Thread]	Current Thread	[Next in Thread>
Problems with stateful filtering in 4.1.20, Martti Kuparinen <= Re: Problems with stateful filtering in 4.1.20, Darren Reed Re: Problems with stateful filtering in 4.1.22, Martti Kuparinen Re: Problems with stateful filtering in 4.1.22, Martti Kuparinen

Previous by Date:	ipfilter v4.1.8 && ESP (vpnc), Matthias Apitz
Next by Date:	Re: ipfilter v4.1.8 && ESP (vpnc), Darren Reed
Previous by Thread:	ipfilter v4.1.8 && ESP (vpnc), Matthias Apitz
Next by Thread:	Re: Problems with stateful filtering in 4.1.20, Darren Reed
Indexes:	[Date] [Thread] [Top] [All Lists]