firewall stuck

Kevin Oberman kob6558 at gmail.com
Sat Mar 24 17:06:38 UTC 2012 

On Sat, Mar 24, 2012 at 6:30 AM, nyoman.bogi at gmail.com
<nyoman.bogi at gmail.com> wrote:
> On Thu, Mar 15, 2012 at 11:47 AM, Kevin Oberman <kob6558 at gmail.com> wrote:
>>
>> Please don't top post. It makes following the thread very difficult.
>> (Yes, I know too many MUAs make this difficult.)
>>
>>  > On Wed, Mar 14, 2012 at 1:12 PM, Kevin Oberman <kob6558 at gmail.com>
>> wrote:
>> >>
>> >> On Tue, Mar 13, 2012 at 7:27 PM, nyoman.bogi at gmail.com
>> >> <nyoman.bogi at gmail.com> wrote:
>> >> > dear guru,
>> >> >
>> >> > every time I open my firewall to allow SSH connection from Internet
>> >> > after few days my firewall always stuck. Stuck in here meaning
>> >> > that it deny all request (deny any from any).
>> >> > And after I "ipfw disable firewall" and then "ipfw enable firewall"
>> >> > everything works fine
>> >> >
>> >> > when I checked /var/log/messages I found lots of attempts
>> >> > people try to connect to my machine.
>> >> > why my machine get stuck when lots of people try to SSH to my
>> >> > machine?
>> >>
>> >> We need a bit more information, especially your ipfw configuration. Is
>> >> it a statefull firewall? It sounds a lot like your state table might
>> >> be filling for some reason. Of course, if it is not a statefull
>> >> firewall, that idea is probably wrong, though it could be a
>> >> misconfiguration of some statefull rule that is inadvertently catching
>> >> the SSH attempts.
>> >>
>> >> Have you done an 'ipfw show' to see what rules are being matched? it
>> >> may or may not provide a clue.
>> >> --
>> >> R. Kevin Oberman, Network Engineer
>> >> E-mail: kob6558 at gmail.com
>> On Wed, Mar 14, 2012 at 6:04 PM, nyoman.bogi at gmail.com
>> <nyoman.bogi at gmail.com> wrote:
>> > thanks Kevin,
>> > this is my "ipfw show" :
>> >
>> > 00100  4352617  2413620288 allow ip from any to any via lo0
>> > 00200        0           0 deny ip from any to 127.0.0.0/8
>> > 00300        0           0 deny ip from 127.0.0.0/8 to any
>> > 00400        0           0 deny ip from any to ::1
>> > 00500        0           0 deny ip from ::1 to any
>> > 00600    54387     5454184 allow icmp from any to any
>> > 00700  3142231  1681082246 allow ip from 10.1.1.28 to 10.1.1.0/26
>> > 00800  4659459  4478397111 allow ip from 10.1.1.0/26 to 10.1.1.28
>> > 00900        0           0 check-state
>> > 01000   137997    89083135 allow tcp from 10.1.1.28 to any setup
>> > keep-state
>> > 01100        0           0 allow tcp from 10.16.10.84 to any setup
>> > keep-state
>> > 01150   401205   276677828 allow tcp from any to 10.1.1.28 dst-port 22
>> > setup
>> > keep-state
>> > 01200   245718    44249729 allow udp from 10.1.1.28 to any keep-state
>> > 01300  5876930   239194755 allow tcp from any to any established
>> > 01400        0           0 allow tcp from any to 10.1.1.28 dst-port 389
>> > setup keep-state
>> > 01500 26341187 22030370786 allow tcp from any to 10.1.1.28 dst-port 80
>> > setup
>> > keep-state
>> > 01600    80945    61013964 allow tcp from any to 10.1.1.28 dst-port 443
>> > setup keep-state
>> > 01700        0           0 allow tcp from 10.1.1.2 to 10.1.1.28 dst-port
>> > 22
>> > setup keep-state
>> > 01800   149642    97939477 allow tcp from any to 10.1.1.28 dst-port 25
>> > setup
>> > keep-state
>> > 01900      140        7501 allow tcp from 10.1.0.0/16 to 10.1.1.28
>> > dst-port
>> > 110 setup keep-state
>> > 02000  1677982    89212845 allow tcp from any to 10.1.1.28 dst-port 110
>> > setup keep-state
>> > 02100     8996      432096 deny tcp from any to any setup
>> > 02200   244111    24117256 allow udp from any to 10.1.1.28 dst-port 53
>> > keep-state
>> > 02300        0           0 allow udp from any to 10.1.1.12 dst-port 53
>> > keep-state
>> > 65535     4610     1422974 deny ip from any to any
>> >
>> > I use FreeBSD 8.2 :
>> > FreeBSD 8.2-RELEASE (GENERIC) #0: Fri Feb 18 02:24:46 UTC 2011
>> >
>> > the problem start after I add rule 01150
>>
>> so you do have a stateful rule for ssh. Putting stateful rules on
>> services is risky because you always open yourself to DOS, ether
>> intentionally or by accident. Every stateful access requires resources
>> from a limited pool. You can look at this pool information with:
>> sysctl net.inet.ip.fw | grep dyn
>> man ipfw describes them in the "SYSCTL VARIABLES" section.
>>
>> I am wondering why you want a stateful rule for this. It's very risky
>> and it looks like you are getting bitten, either by accident or a
>> deliberate effort to DOS you. I suspect the former.
>> --
>> R. Kevin Oberman, Network Engineer
>> E-mail: kob6558 at gmail.com
>
>
>
> thanks a lot Kevin, your hint is really helpful.
> I have change the SSH connection into non stateful.
>
> do you think I should change the HTTP connection into non stateful also?

Almost certainly. One of the most common DOS attacks is just to flood
a popular port with connection requests and port 80 is the most
commonly used. There are ways to mitigate this a bit by quickly
dropping the state entry when the 3-way handshake is not completed,
but it's still pretty easy to exploit. and, of course, if your website
ever gets significant publicity, the number of legitimate connections
can cause you trouble. (This is commonly called being "slashdoted".)

What you need to do is ask if a stateful firewall is really of any
benefit for port 80. What does it help, if anything? For UDP apps,
where the protocol does not maintain any state, stateful may make
sense, but for TCP, it's less obvious. Can you gethte same benefits
from a stateless entry? Perhaps with the addition of tables so block
entries can be quickly added and deleted?
-- 
R. Kevin Oberman, Network Engineer
E-mail: kob6558 at gmail.com

More information about the freebsd-net mailing list