netbsd-help: Trouble with IP Filter 3.3.6 after NetBSD 1.4.2 upgrade...

Subject: Trouble with IP Filter 3.3.6 after NetBSD 1.4.2 upgrade...
To: None <netbsd-help@netbsd.org>
From: Brian Stark <bstark@uswest.net>
List: netbsd-help
Date: 04/10/2000 03:10:51
Hello,

I seem to be having trouble with IP filter after upgrading to NetBSD i386
1.4.2 from version 1.4.1. Basically, I can't login to my home machine from
work and what I see seing logged on my system doesn't make much
sense. Perhaps someone reading this can shed some light on this...

At work if I try to telnet to the home machine like this:

  possum:bstark$ telnet 209.180.3.151

On my home machine's logs I see:

  Apr 10 02:05:46 callisto ipmon[187]: 02:05:45.611892
  ppp0 @0:1 L 161.134.39.18,1853 -> 209.180.3.151,23 PR tcp len 20 44 -S IN

I then see several more of these as my work system will attempt several
connects before failing.
 
The above shows that group 0, rule 1 has logged an inbound packet with the
syn flag set. But, when I check my inbound rules table for group 0, this
doesn't match up:

  callisto:{root}#  ipfstat -i -n | grep -v group 
  @1 pass in quick on lo0 from any to any
  @2 block in quick on ppp0 from any to any head 100
  @3 block in log quick from any to any
  callisto:{root}# 

The above shows that group 0, rule 1 is for something different. If I take
a look at my /etc/ipf.conf file to see where my rules for logging inbound 
packets are, I have the following:

  # Log all inbound TCP packets with the SYN flag (only) set. This is the
  # only flag set when a client attempts to connect to a server.
  log    in           on ppp0 proto tcp from any to any flags S group 110

If I dump the contents of group 110 out, I see the following:

callisto:{root}# ipfstat -i -n | grep "group 110"
@1 log in on ppp0 proto tcp from any to any flags S/FSRPAU group 110
@2 log in on ppp0 proto tcp from any to any flags F/FSRPAU group 110
@3 log in on ppp0 proto tcp from any to any flags FRP/FSRPAU group 110
@4 pass in quick on ppp0 proto tcp from 204.147.80.0/24 to any group 110
@5 pass in quick on ppp0 proto tcp from 207.225.159.0/24 to any group 110
@6 pass in log quick on ppp0 proto tcp from 161.134.0.0/16 to any port 19
>< 24 flags S/SA keep state group 110
@7 pass in log quick on ppp0 proto tcp from 161.134.0.0/16 to any port =
25 flags S/SA keep state group 110
@8 pass in log quick on ppp0 proto tcp from 198.3.99.0/24 port = 25 to any
group 110
@9 pass in log quick on ppp0 proto tcp from 204.152.184.75/32 port 19 ><
22 to any group 110
@10 pass in quick proto tcp from any port = 80 to any group 110
@11 block return-rst in log quick on ppp0 proto tcp from any to any group
110
callisto:{root}# 

So, IP filter should have logged the inbound packet using group 110, rule
1, but it didn't. In addition, when IP Filter got to rule 6 of group 110,
it should have allowed the packet in, but again, it didn't.

These problems seem to be centered around the filtering I am doing for the 
tcp protocol. I can ping my home machine and that works:

  possum:bstark$ ping -c 1 209.180.3.151
  PING 209.180.3.151: (209.180.3.151): 56 data bytes
  64 bytes from 209.180.3.151: icmp_seq=0 ttl=245 time=229 ms

  ----209.180.3.151 PING Statistics----
  1 packets transmitted, 1 packets received, 0% packet loss
  round-trip min/avg/max = 229/229/229 ms
  possum:bstark$ 

The home machine shows:

  Apr 10 02:26:47 callisto ipmon[187]: 02:26:46.522643             ppp0
  @130:3 p 161.134.39.18 -> 209.180.3.151 PR icmp len 20 84 icmp 8/0 IN

callisto:{root}# ipfstat -i -n | grep "group 130"
@1 pass in log quick on ppp0 proto icmp from any to any icmp-type echorep
group 130
@2 pass in log quick on ppp0 proto icmp from any to any icmp-type unreach
group 130
@3 pass in log quick on ppp0 proto icmp from any to any icmp-type echo
group 130
@4 pass in log quick on ppp0 proto icmp from any to any icmp-type timex
group 130
@5 block in log quick on ppp0 proto icmp from any to any group 130
callisto:{root}# 

So, I'm really confused... the filtering I do for icmp traffic appears to
work, but the tcp traffic filtering seems broken.

If it helps to understand the basic layout of my config file, it is like
this:

  callisto:{root}# cat /etc/ipf.conf | grep head 
  block  in     quick on ppp0 all head 100  
    block  in     quick on ppp0 proto tcp all head 110 group 100
    block  in     quick on ppp0 proto udp all head 120 group 100
    block in      quick on ppp0 proto icmp all head 130 group 100
    block in      quick on ppp0 proto igmp all head 140 group 100
  block out     quick on ppp0 all head 200
  callisto:{root}# 


Could it be that there is something wrong in IP Filter 3.3.6, or perhaps
there is a necessary change for the config file that I am not aware of?

Would it make any sense to try this with a newer version of IP Filter
(latest appears to be 3.3.12)? I downloaded the version 3.3.12 from
coombs.anu.edu.au and while reviewing the HISTORY file I came across the
following entry that looked interesting:

  3.3.8   01/02/2000 - Released

  fix state handling of SYN packets.

Could this be related to the problem I am having?

Any help would be appreciated...


Brian Stark
bstark@uswest.net