# ipf keep state problem?



## hunter_lv (Aug 6, 2010)

Hello!
Some time ago I already had business with ipf and everything was ok (I used manual to create rules), server worked perfetcly.
Now I'am trying to setup the same server, but with newer version of FreeBSD (8.1-RELEASE), the same manuals, the same settings, everything works except firewall, and there is something strange:
for example, I have rules in my /etc/ipf.rules:


```
pass out quick on fxp0 all
pass in log quick on fxp0 proto tcp from any to any port = 80
block in log first quick on fxp0 all
```

in this case ipmon shows:

```
... fxp0 [B]@0:1 p [/B]xx.xx.xx.xx -> xx.xx.xx.xx,80 PR tcp len ...
```
  that is OK

now I change second rule to:

```
pass in log quick on fxp0 proto tcp from any to any port = 80 flags S keep state
```
# because I want to use statefull firewall ofcourse

in this case ipmon shows:

```
... fxp0 [B]@0:2 b[/B] xx.xx.xx.xx -> xx.xx.xx.xx,80 PR tcp len ...
```
  and that is NOT OK

I don't understand why, but now my connection does not match my rule... why? can someone explain in to me?

May it be that there is some kind of bug and i have to patch my system?


----------



## rblon (Nov 25, 2010)

I have the same problem. It seems related to this bug, but I am not sure how to apply the patch. Have you been able to solve it?


----------



## SirDice (Nov 25, 2010)

Remove the *flags S*.


----------



## rblon (Nov 25, 2010)

Removing *flags S* is not helping me

The issue I'm having is that after upgrading to 8.1, the firewall is blocking everything (in and out)

Now, when I set /etc/ipf.rules to

```
pass in quick on fxp0 all
pass out quick on fxp0 all
```
I don't have this issue

When I compare /var/log/messages, the difference is that I have in the initial situation (so with my original /etc/ipf.rules), the following messages after reboot

```
Nov 25 10:30:47 dev ipmon[803]: 10:30:47.054681 fxp0 @0:28 b 10.0.1.1,53 -> 10.0.1.8,32813 PR udp len 20 111 IN bad
Nov 25 10:30:52 dev ipmon[803]: 10:30:52.024385 fxp0 @0:28 b 10.0.1.1,53 -> 10.0.1.8,32813 PR udp len 20 111 IN bad
Nov 25 10:31:02 dev ipmon[803]: 10:31:02.050001 fxp0 @0:28 b 10.0.1.1,53 -> 10.0.1.8,25838 PR udp len 20 63 IN bad
....
```

where rule 28 is the final IN rule:

```
block in log first quick on fxp0 all
```


----------



## SirDice (Nov 25, 2010)

Please post your entire /etc/ipf.rules file.


----------



## rblon (Nov 25, 2010)

Here it is (to be clear, I haven't made any changes after upgrading from 7.2 to 8.1)


```
#################################################################
# No restrictions on Inside LAN Interface for private network
# Not needed unless you have LAN
#################################################################

#pass out quick on xl0 all
#pass in quick on xl0 all

#################################################################
# No restrictions on Loopback Interface
#################################################################
pass in quick on lo0 all
pass out quick on lo0 all

#################################################################
# Interface facing Public Internet (Outbound Section)
# Match session start requests originating from behind the
# firewall on the private network
# or from this gateway server destined for the public Internet.
#################################################################

# Allow out access to my ISP's Domain name server.
# xxx must be the IP address of your ISP's DNS.
# Dup these lines if your ISP has more than one DNS server
# Get the IP addresses from /etc/resolv.conf file
pass out quick on fxp0 proto tcp from any to 10.0.1.1 port = 53 flags S keep state
pass out quick on fxp0 proto udp from any to 10.0.1.1 port = 53 keep state

# Allow out access to my ISP's DHCP server for cable or DSL networks.
# This rule is not needed for 'user ppp' type connection to the
# public Internet, so you can delete this whole group.
# Use the following rule and check log for IP address.
# Then put IP address in commented out rule & delete first rule
pass out log quick on fxp0 proto udp from any to any port = 67 keep state
#pass out quick on fxp0 proto udp from any to z.z.z.z port = 67 keep state


# Allow out non-secure standard www function
pass out quick on fxp0 proto tcp from any to any port = 80 flags S keep state

# Allow out secure www function https over TLS SSL
pass out quick on fxp0 proto tcp from any to any port = 443 flags S keep state

# Allow out secure www function https over TLS SSL (SVN server)
pass out quick on fxp0 proto tcp from any to any port = 8443 flags S keep state

# Allow out send & get email function
pass out quick on fxp0 proto tcp from any to any port = 25 flags S keep state

# Allow out ntp (network time protocol)
#pass out quick on fxp0 proto tcp from any to any port = 123 flags S keep state
pass out quick on fxp0 proto udp from any to any port = 123 keep state

# Allow out nntp news
#pass out quick on fxp0 proto tcp from any to any port = 119 flags S keep state

# Allow out gateway & LAN users' non-secure FTP ( both passive & active modes)
# This function uses the IPNAT built in FTP proxy function coded in
# the nat rules file to make this single rule function correctly.
# If you want to use the pkg_add command to install application packages
# on your gateway system you need this rule.
pass out quick on fxp0 proto tcp from any to any port = 21 flags S keep state

# Allow out ssh/sftp/scp (telnet/rlogin/FTP replacements)
# This function is using SSH (secure shell)
pass out quick on fxp0 proto tcp from any to any port = 22 flags S keep state

# Allow out insecure Telnet
pass out quick on fxp0 proto tcp from any to any port = 23 flags S keep state

# Allow out FreeBSD CVSup
pass out quick on fxp0 proto tcp from any to any port = 5999 flags S keep state

# Allow out ping to public Internet
pass out quick on fxp0 proto icmp from any to any icmp-type 8 keep state

# Allow out whois from LAN to public Internet
pass out quick on fxp0 proto tcp from any to any port = 43 flags S keep state

# Block and log only the first occurrence of everything
# else that's trying to get out.
# This rule implements the default block
block out log first quick on fxp0 all

#################################################################
# Interface facing Public Internet (Inbound Section)
# Match packets originating from the public Internet
# destined for this gateway server or the private network.
#################################################################

# Block all inbound traffic from non-routable or reserved address spaces
block in quick on fxp0 from 192.168.0.0/16 to any    #RFC 1918 private IP
block in quick on fxp0 from 172.16.0.0/12 to any     #RFC 1918 private IP
#block in quick on fxp0 from 10.0.0.0/8 to any        #RFC 1918 private IP
block in quick on fxp0 from 127.0.0.0/8 to any       #loopback
block in quick on fxp0 from 0.0.0.0/8 to any         #loopback
block in quick on fxp0 from 169.254.0.0/16 to any    #DHCP auto-config
block in quick on fxp0 from 192.0.2.0/24 to any      #reserved for docs
block in quick on fxp0 from 204.152.64.0/23 to any   #Sun cluster interconnect
block in quick on fxp0 from 224.0.0.0/3 to any       #Class D & E multicast

##### Block a bunch of different nasty things. ############
# That I do not want to see in the log

# Block frags
block in quick on fxp0 all with frags

# Block short tcp packets
block in quick on fxp0 proto tcp all with short

# block source routed packets
block in quick on fxp0 all with opt lsrr
block in quick on fxp0 all with opt ssrr

# Block nmap OS fingerprint attempts
# Log first occurrence of these so I can get their IP address
block in log first quick on fxp0 proto tcp from any to any flags FUP

# Block anything with special options
block in quick on fxp0 all with ipopts

# Block public pings
block in quick on fxp0 proto icmp all icmp-type 8

# Block ident
block in quick on fxp0 proto tcp from any to any port = 113

# Block all Netbios service. 137=name, 138=datagram, 139=session
# Netbios is MS/Windows sharing services.
# Block MS/Windows hosts2 name server requests 81
#block in log first quick on fxp0 proto tcp/udp from any to any port = 137
#block in log first quick on fxp0 proto tcp/udp from any to any port = 138
block in quick on fxp0 proto tcp/udp from any to any port = 137
block in quick on fxp0 proto tcp/udp from any to any port = 138
block in log first quick on fxp0 proto tcp/udp from any to any port = 139
block in log first quick on fxp0 proto tcp/udp from any to any port = 81

# Allow traffic in from ISP's DHCP server. This rule must contain
# the IP address of your ISP's DHCP server as it's the only
# authorized source to send this packet type. Only necessary for
# cable or DSL configurations. This rule is not needed for
# 'user ppp' type connection to the public Internet.
# This is the same IP address you captured and
# used in the outbound section.
pass in quick on fxp0 proto udp from 10.0.1.1 to any port = 68 keep state

# Allow in standard www function because I have apache server
pass in quick on fxp0 proto tcp from any to any port = 80 flags S keep state
pass in quick on fxp0 proto tcp from any to any port = 443 flags S keep state
pass in quick on fxp0 proto tcp from any to any port = 8443 flags S keep state
pass in quick on fxp0 proto tcp from any to any port = 10000 flags S keep state

# Allow in non-secure Telnet session from public Internet
# labeled non-secure because ID/PW passed over public Internet as clear text.
# Delete this sample group if you do not have telnet server enabled.
#pass in quick on fxp0 proto tcp from any to any port = 23 flags S keep state

# Allow in secure FTP, Telnet, and SCP from public Internet
# This function is using SSH (secure shell)
pass in quick on fxp0 proto tcp from any to any port = 22 flags S keep state

# Block and log only first occurrence of all remaining traffic
# coming into the firewall. The logging of only the first
# occurrence avoids filling up disk with Denial of Service logs.
# This rule implements the default block.
block in log first quick on fxp0 all
################### End of rules file #####################################
```


----------



## SirDice (Nov 25, 2010)

At quick glance I can't see anything wrong with the ruleset. Have a look with `# ipfstat -nio` and verify rule 28 is the rule you think it is.

Also have a look with tcpdump(1) and see if you can find anything special that might be a reason for the blocks (like packet retries).


----------



## rblon (Nov 26, 2010)

I have double-checked and rule 28 is indeed the last "block in all" rule

It really seems to me that I am seeing this bug (or here). But I don't know how to apply the patch that is mentioned.


----------

