Subject: Solution for duplicate ipf states?
To: None <tech-net@netbsd.org>
From: Monroe Williams <monroe@criticalpath.com>
List: tech-net
Date: 05/07/2002 20:35:49
I'm using the "keep state" rules on an ipf firewall, and I think I must be
missing something.

When using the rules:

pass out quick on ex0 proto udp from any to any keep state
pass out quick on ex0 proto icmp from any to any keep state

it appears that every packet that passes out on the interface creates a new
state table entry.  For example, running ping for a short while on a
firewalled machine causes this state in 'ipfstat -t':

Source IP    Destination IP      ST   PR   #pkts    #bytes       ttl
1.2.3.4       5.6.7.8           0/0 icmp       3       252      0:38
1.2.3.4       5.6.7.8           0/0 icmp       3       252      0:56
1.2.3.4       5.6.7.8           0/0 icmp       3       252      0:55
1.2.3.4       5.6.7.8           0/0 icmp       3       252      0:54
1.2.3.4       5.6.7.8           0/0 icmp       3       252      0:53
1.2.3.4       5.6.7.8           0/0 icmp       3       252      0:52
1.2.3.4       5.6.7.8           0/0 icmp       3       252      0:51
1.2.3.4       5.6.7.8           0/0 icmp       3       252      0:50
1.2.3.4       5.6.7.8           0/0 icmp       3       252      0:49
1.2.3.4       5.6.7.8           0/0 icmp       3       252      0:48
1.2.3.4       5.6.7.8           0/0 icmp       3       252      0:47
1.2.3.4       5.6.7.8           0/0 icmp       3       252      0:46
1.2.3.4       5.6.7.8           0/0 icmp       3       252      0:45
1.2.3.4       5.6.7.8           0/0 icmp       3       252      0:44
1.2.3.4       5.6.7.8           0/0 icmp       3       252      0:43
1.2.3.4       5.6.7.8           0/0 icmp       3       252      0:42
1.2.3.4       5.6.7.8           0/0 icmp       3       252      0:41
1.2.3.4       5.6.7.8           0/0 icmp       3       252      0:40
1.2.3.4       5.6.7.8           0/0 icmp       3       252      0:39
1.2.3.4       5.6.7.8           0/0 icmp       3       252      0:57

(IP addresses obfuscated to protect the guilty.)

This seems wrong to me.  It seems as though when a "keep state" rule
matches, it should NEVER add a duplicate identical entry to the state table.
In a perfect world, perhaps it would increase the ttl on the existing rule
to the normal value for a new rule.

Am I missing something here, or is this completely pathological behavior?

I'm running the built-in ipf (v3.4.9) on a stock NetBSD-1.5.2-i386 install,
if that matters.

Thanks,
-- monroe
------------------------------------------------------------------------
Monroe Williams                                  monroe@criticalpath.com