tech-net: Re: ipfilter stateful rejects

Subject: Re: ipfilter stateful rejects
To: Wolfgang Rupprecht <wolfgang@wsrcc.com>
From: Scott Presnell <srp@zgi.com>
List: tech-net
Date: 10/22/1999 11:26:06
Wolfgang Rupprecht wrote:
> 
> I'm starting to be plagued by what I'm told are most likely late
> out-of-window incoming packets causing ipfilter to misbehave and
> poison a sup transfer in mid-stream.
> 
>     Oct 22 10:27:03 capsicum ipmon[172]: 10:27:02.703867              de0 @100:2 b ftp.netbsd.org,supfilesrv -> c460058-a.frmt1.sfba.home.com,65102 PR tcp len 20 552 -A
>     Oct 22 10:27:08 capsicum ipmon[172]: 10:27:07.692248              de0 @100:2 b ftp.netbsd.org,supfilesrv -> c460058-a.frmt1.sfba.home.com,65101 PR tcp len 20 552 -A
>     Oct 22 10:27:17 capsicum ipmon[172]: 10:27:16.181956              de0 @100:2 b ftp.netbsd.org,supfilesrv -> c460058-a.frmt1.sfba.home.com,65099 PR tcp len 20 552 -A
> 
> This is the line from my /etc/ipf.conf file.
> 
>     pass out proto tcp from any to any flags S/SAFR keep state
> 
> Unfortunately tcpdump doesn't capture anything that stands out at
> around the time this syslog msg occurred.  All I see is a failed
> sup with a sterr msg that a sup transfer aborted.
> 
Yes, there have been some bugs fixed in this regard since 1.4.1 which
contains
ipfilter 3.2.10.

You should be able to install ip_filter 3.3.3 over the 1.4.1
distribution.

From the ipfilter mailing list:


More bug fixes.

Problems with fastrouting and fragmentation being used with keep state
should now be licked.

The problem with keep state and the ftp proxy should also be licked, as
too
the dropping of packets within the receivers window.

ftp://coombs.anu.edu.au/pub/net/ip-filter/ip_fil3.3.3.tar.gz

Darren

3.3.3   22/10/1999 - Released

add -g command line option to ipfstat to show groups still define.

fix problem with fragment table not recording rule pointer when called
from state functions (fin_fr not set).

fixup fastroute problems with keep state rules.

load rules into inactive set first, so we don't disable things like NIS
lookups half way through processing - found by Kevin Littlejohn

fix handling of unaligned ip pointer for solaris

patch for fr_newauth from Rudi Sluijtman

fixed htons() bug in fr_tcpsum() where ip_p wasn't cast to u_short

3.3.2   23/09/1999 - Released