netbsd-bugs: Re: kern/11670: ipf eventually blocks all traffic (thus ignoring

Subject: Re: kern/11670: ipf eventually blocks all traffic (thus ignoring
To: Manuel Bouyer <bouyer@antioche.lip6.fr>
From: Stephen Welker <stephen.welker@nemostar.com.au>
List: netbsd-bugs
Date: 12/11/2000 12:39:04
--On Sunday, 10 December 2000 2:41 PM Manuel Bouyer wrote:
> On Sun, Dec 10, 2000 at 02:08:25AM +1100, Stephen Welker wrote:
>> I did not use 1.4.2 (problems with AppleTalk), I have upgraded from
>> 1.4.1.
>>
>> I do use NAT (1 rule, last minute patch not applied). Rule follows..
>>
>> map ppp0 192.168.1.0/24 -> 203.43.154.193/32
>>
>> My NAT & ipf config have not changed since 1.4.1 in reference to the
>> services that fail.
>>
>> I have compiled a seperate kernal that logged blocked packets. The ipmon
>> log (local0) showed along with others (squid) that the return packets
>> were  being blocked (yes I have set the "keep state"). Sample ipmon log
>> entry  follows...
>>
>> Dec  6 17:47:26 hermes ipmon[79]: 17:47:25.335973             ppp0 @0:15
>> b  mail2.bigpond.com,25 -> mx.nemostar.com.au,65211 PR tcp len 20 65
>> -AFP IN
>>
>> Rule 15 is the catch all "block all" rule.
>
> Ok, I don't use "keep state", maybe there's a bug in this code.
> When connections don't work could you try a 'ipfstat -s' to see the
> state informations ?

"ipfstat -s > ipfstat.log" produces a 578120 byte file.

The beginning of the file has the following...

--- snip ---
IP states added:
        2436 TCP
        2948 UDP
        0 ICMP
        41895 hits
        16976 misses
        4106 maximum
        0 no memory
        buckets in use  26
        2048 active
        2948 expired
        388 closed
--- snip ---

606 groups of entries such as...

--- snip ---
127.0.0.1 -> 127.0.0.1 ttl 862467 pass 0x5006 pr 6 state 0/4
        pkts 1 bytes 52 65533 -> 65534 2e64710e:0 16384:0
        pass out quick keep state
        pkt_flags & 2(b2) = b,          pkt_options & ffffffff = 0
        pkt_security & ffff = 0, pkt_auth & ffff = 0
interfaces: in -[0x0] out lo0[0xc042738c]
--- snip ---

69 groups of entries such as...

--- snip ---
192.168.1.1 -> 192.168.1.1 ttl 801957 pass 0x5006 pr 6 state 0/4
        pkts 1 bytes 52 65472 -> 53 f4fd8912:0 16384:0
        pass out quick keep state
        pkt_flags & 2(b2) = b,          pkt_options & ffffffff = 0
        pkt_security & ffff = 0, pkt_auth & ffff = 0
interfaces: in -[0x0] out lo0[0xc042738c]
--- snip ---

1 entry such as...

--- snip ---
192.168.1.254 -> 192.168.1.5 ttl 862717 pass 0x500a pr 6 state 4/0
        pkts 3 bytes 120        49287 -> 3128 a1453710:66026069 1:17520
        pass in quick keep state
        pkt_flags & 2(b2) = b,          pkt_options & ffffffff = 0
        pkt_security & ffff = 0, pkt_auth & ffff = 0
interfaces: in fxp0[0xc05c5864] out fxp0[0xc05c5864]
--- snip ---

2 groups of entries such as...

--- snip ---
192.168.1.254 -> 192.168.1.1 ttl 863999 pass 0x500a pr 6 state 4/4
        pkts 1141 bytes 731892  49278 -> 23 a12ebea2:547cb1ce 32768:17520
        pass in quick keep state
        pkt_flags & 2(b2) = b,          pkt_options & ffffffff = 0
        pkt_security & ffff = 0, pkt_auth & ffff = 0
interfaces: in fxp0[0xc05c5864] out fxp0[0xc05c5864]
--- snip ---

1 entry such as...

--- snip ---
192.168.1.254 -> 192.168.1.3 ttl 863915 pass 0x500a pr 6 state 4/4
        pkts 139 bytes 23078    49152 -> 143 7d81aa66:eadb8a11 32768:17520
        pass in quick keep state
        pkt_flags & 2(b2) = b,          pkt_options & ffffffff = 0
        pkt_security & ffff = 0, pkt_auth & ffff = 0
interfaces: in fxp0[0xc05c5864] out fxp0[0xc05c5864]
--- snip ---

1340 groups of entries such as...

--- snip ---
192.168.1.5 -> 192.168.1.5 ttl 861978 pass 0x5006 pr 6 state 0/4
        pkts 1 bytes 52 65393 -> 3128 53f856a0:0 14958:0
        pass out quick keep state
        pkt_flags & 2(b2) = b,          pkt_options & ffffffff = 0
        pkt_security & ffff = 0, pkt_auth & ffff = 0
interfaces: in -[0x0] out lo0[0xc042738c]
--- snip ---

14 groups of entries such as...

--- snip ---
192.168.1.4 -> 203.43.154.193 ttl 856368 pass 0x5006 pr 6 state 4/4
        pkts 5 bytes 618        80 -> 65431 e33ca32c:e248f548 16384:16384
        pass out quick keep state
        pkt_flags & 2(b2) = b,          pkt_options & ffffffff = 0
        pkt_security & ffff = 0, pkt_auth & ffff = 0
interfaces: in lo0[0xc042738c] out lo0[0xc042738c]
--- snip ---

14 groups of entries such as...

--- snip ---
203.43.154.193 -> 192.168.1.4 ttl 856368 pass 0x5006 pr 6 state 3/4
        pkts 5 bytes 284        65431 -> 80 e248f2c3:e33ca27d 16384:16384
        pass out quick keep state
        pkt_flags & 2(b2) = b,          pkt_options & ffffffff = 0
        pkt_security & ffff = 0, pkt_auth & ffff = 0
interfaces: in lo0[0xc042738c] out lo0[0xc042738c]
--- snip ---

Some explanation of IP numbers...

203.43.154.193 - extenal IP visible to the net (not the PPP i/f), it is 
also the output side of the proxy.

192.168.1.1 - internal gateway.

192.168.1.3 - internal mx.

192.168.1.4 - internal www server.

192.168.1.5 - internal proxy server.

192.168.1.254 - workstation (web browser, telnet, imap sessions origin)

Machine runs 3 main interfaces: ppp & 2 ethernet interfaces (1 public 
ethernet & 1 private).

Sorry for the large email, but this is the summary ;-)

If you need the ipf.conf file I can email it directly if you wish.

--
Stephen.