state table filled

Alejandro Valdez Mon, 20 Jan 2003 07:11:54 -0800

Hello,

I posted that mail a weaks ago and haven't receive any reply, please can
anyone help me?


My server state table fill up once a day. The output from the ipfstat -s
says that it has 2048 entries, where:

1988 of them was initiated from my server from some port to internet
at destination port 80.
1984 of them was in state 4/5

That server is running squid proxy server, and I'm keeping state for
each outgoin connection from the server, so the outgoing connections are
created by squid.

To fix it, I can let get in packets from any hosts with source port 80 to
any port of my server, and don't keep state for packets oririnated at my
server with destination port 80. But I think it's insecure, so
there must exist a better solution.

Any suggestions?

Following is the firewall ruleset, with the public ip wiped out.

Thanks in advance

Alejandro Valdez





#!/bin/bash

export IP_WAN=
export IP_WBRD=
export IP_WNET=
export IF_WAN="net0"

export IP_LAN="192.168.69.1/32"
export IP_LBRD="192.168.69.255/32"
export IP_LNET="192.168.69.0/24"
export IF_LAN="net1"

/etc/ipf -Fa
/etc/ipf -f - << EOF

#-----------------------------------------------------------------------
#Rules for $IF_LAN
#-----------------------------------------------------------------------

block in log on $IF_WAN all
block return-rst in log on $IF_WAN proto tcp all flags S
block return-icmp(port-unr) in log on $IF_WAN proto udp all
block in log quick on $IF_WAN           all with short
block in log quick on $IF_WAN           all with ipopts

block in     quick on $IF_WAN from 192.168.0.0/16 to any
block in     quick on $IF_WAN from 172.16.0.0/12 to any
block in     quick on $IF_WAN from 10.0.0.0/8 to any
block in     quick on $IF_WAN from 127.0.0.0/8 to any
block in     quick on $IF_WAN from 0.0.0.0/8 to any
block in     quick on $IF_WAN from 169.254.0.0/16 to any
block in     quick on $IF_WAN from 192.0.2.0/24 to any
block in     quick on $IF_WAN from 204.152.64.0/23 to any
block in     quick on $IF_WAN from 224.0.0.0/3 to any
block in     quick on $IF_WAN from any to 255.255.255.255/32

block in     quick on $IF_WAN from any to $IP_WBRD
block in     quick on $IF_WAN from any to $IP_WNET

pass  in     quick on $IF_WAN proto icmp all icmp-type 8  #echo request
pass  in     quick on $IF_WAN proto icmp all icmp-type 11 #time exceeded
block in log quick on $IF_WAN proto icmp all

block return-icmp(port-unr) in     quick on $IF_WAN proto udp from any to
any \
         port 136 >< 140 #netbios
block return-rst            in     quick on $IF_WAN proto tcp from any to
any \
        port 136 >< 140 flags S #netbios

block return-rst in quick on $IF_WAN proto tcp from any to $IP_WAN \
        port = 113 #ident

pass in quick on $IF_WAN proto tcp from any to $IP_WAN \
        port = 22 flags S  keep state keep frags #ssh

pass in quick on $IF_WAN proto tcp from any to $IP_WAN \
        port = 23 flags S  keep state keep frags #telnet

pass in quick on $IF_WAN proto tcp from any to $IP_WAN \
        port = 25 flags S  keep state keep frags #smtp

pass in quick on $IF_WAN proto tcp from any to $IP_WAN \
        port = 53 flags S  keep state keep frags #dns

pass in quick on $IF_WAN proto udp from any to $IP_WAN \
        port = 53  keep state keep frags #dns

pass in quick on $IF_WAN proto tcp from any to $IP_WAN \
        port = 80 flags S  keep state keep frags #http

pass in quick on $IF_WAN proto tcp from any to $IP_WAN \
        port = 110 flags S keep state keep frags #pop3

pass in log first   quick on $IF_WAN proto tcp from any to $IP_WAN \
        port = 8080 flags S keep state keep frags  #proxy

pass  out     quick on $IF_WAN proto tcp  from $IP_WAN to any keep state
pass  out     quick on $IF_WAN proto udp  from $IP_WAN to any keep state
pass  out     quick on $IF_WAN proto icmp from $IP_WAN to any keep state
block out log       on $IF_WAN all

#-----------------------------------------------------------------------
#Rules for $IF_LAN
#-----------------------------------------------------------------------

block in log on $IF_LAN from any to any

pass in log first   quick on $IF_WAN proto tcp from any to $IP_WAN \
        port = 8080 flags S keep state keep frags  #proxy

pass  out     quick on $IF_WAN proto tcp  from $IP_WAN to any keep state
pass  out     quick on $IF_WAN proto udp  from $IP_WAN to any keep state
pass  out     quick on $IF_WAN proto icmp from $IP_WAN to any keep state
block out log       on $IF_WAN all

#-----------------------------------------------------------------------
#Rules for $IF_LAN
#-----------------------------------------------------------------------

block in log on $IF_LAN from any to any

pass in quick on $IF_LAN proto tcp from $IP_LNET to any keep state
pass in quick on $IF_LAN proto udp from $IP_LNET to any keep state
pass in quick on $IF_LAN proto icmp from $IP_LNET to any keep state

pass out on $IF_LAN all
EOF

state table filled

Reply via email to