Hi everybody,
I'm experiencing a nasty problem on a FreeBSD 4.7 machine with ipfilter
3.4.29 and ppp. I run pptpd on that machine to accept inbound PPTP
connections (and thanks to the archives of this list I found that ipnat
can actually map GRE tunnels! ;), which in turn invokes ppp to deal with
the PPTP connection. It works very well so far, with one exception:
When a PPTP connection is established, I find that I have to do a
'ipf -y' in ppp.linkup for ipf to recognize the new tunnel interface.
Otherwise, all traffic just hits my "block in all" rule, not matching
the rule that should permit traffic from the tunnel inteface.
So far, so good... however, as soon as that 'ipf -y' is executed, it
seems as though the contents of the state table become stale. Open TCP
connections that had nothing to do with tunnel interfaces (or ppp, for
that matter) are suddenly dropped. 'ipfstat -sl' still reports the
connections, so they're not really deleted from the state table - the
packets just don't match the state table anymore and enter normal ruleset
processing, where they get dropped for not having the SYN flag set.
Here's an ipfstat -sl:
*** before executing ipf -y
192.168.10.100 -> 80.238.135.123 ttl 863980 pass 0x500a pr 6 state 4/4
pkts 28 bytes 1312 4175 -> 25 a72d6447:e11085bf 64512<<0:57400<<0
pass in quick keep state IPv4
pkt_flags & 2(b2) = b, pkt_options & ffffffff = 0
pkt_security & ffff = 0, pkt_auth & ffff = 0
interfaces: in sis0,sis1 out sis1,sis0
*** after executing ipf -y
192.168.10.100 -> 80.238.135.123 ttl 863929 pass 0x500a pr 6 state 4/4
pkts 28 bytes 1312 4175 -> 25 a72d6447:e11085bf 64512<<0:57400<<0
pass in quick keep state IPv4
pkt_flags & 2(b2) = b, pkt_options & ffffffff = 0
pkt_security & ffff = 0, pkt_auth & ffff = 0
interfaces: in sis1,sis1 out sis1,sis0
The only thing I can see that has changed is sis0 to sis1 in the last
line. sis0 is the LAN interface, sis1 is WAN. Maybe ipf -y somehow messes
the states up so that ipfilter now expects packets to match that state to
come in through sis1 instead of sis0? Then why does ipf -y change entries
in its internal interface list when the corresponding "real" interfaces
have not changed at all?
Of course I can immediately re-establish the TCP connection after the ipf
-y, but it's still annoying to lose all open connections when a PPTP user
logs in.
Does anybody know how to get rid/work around this problem, or has anybody
experienced a similar thing?
Thank you for your time!
Manuel
