Compiled IPFilter 4.1.29 on Solaris 8 using Sun Studio 11. Compile and install
went fine. For the most part things are working with one exception I cannot
figure out. When the server tries to open up a TCP session (outbound), and the
remote client has nothing running on the port we are trying to connect to, it
closes the connection with a RST-ACK. That packet is getting rejected when it
comes back instead of tearing down the connection.
Here is what it looks like in the IPFilter log:
19/05/2008 15:46:11.533630 hme0 @0:2 b 10.11.4.157,13782 -> 10.11.2.6,983 PR
tcp len 20 40 -AR IN OOW
19/05/2008 15:46:13.163449 hme0 @0:2 b 10.11.4.157,13782 -> 10.11.2.6,984 PR
tcp len 20 40 -AR IN OOW
19/05/2008 15:46:14.903013 hme0 @0:2 b 10.11.4.157,13782 -> 10.11.2.6,983 PR
tcp len 20 40 -AR IN OOW
19/05/2008 15:46:19.913159 hme0 @0:2 b 10.11.4.157,13782 -> 10.11.2.6,984 PR
tcp len 20 40 -AR IN OOW
19/05/2008 15:46:21.652822 hme0 @0:2 b 10.11.4.157,13782 -> 10.11.2.6,983 PR
tcp len 20 40 -AR IN OOW
19/05/2008 15:46:33.410686 hme0 @0:2 b 10.11.4.157,13782 -> 10.11.2.6,984 PR
tcp len 20 40 -AR IN OOW
19/05/2008 15:46:35.150632 hme0 @0:2 b 10.11.4.157,13782 -> 10.11.2.6,983 PR
tcp len 20 40 -AR IN OOW
19/05/2008 15:47:03.164846 hme0 @0:2 b 10.11.4.132,13782 -> 10.11.2.6,986 PR
tcp len 20 40 -AR IN OOW
19/05/2008 15:47:06.530644 hme0 @0:2 b 10.11.4.132,13782 -> 10.11.2.6,986 PR
tcp len 20 40 -AR IN OOW
19/05/2008 15:47:13.282645 hme0 @0:2 b 10.11.4.132,13782 -> 10.11.2.6,986 PR
tcp len 20 40 -AR IN OOW
19/05/2008 15:47:26.780667 hme0 @0:2 b 10.11.4.132,13782 -> 10.11.2.6,986 PR
tcp len 20 40 -AR IN OOW
While these are coming in, here is what the state table looks like:
mysolsrv -> mylinuxsrv pass 0x40004502 pr 6 state 1/11
tag 0 ttl 20
986 -> 13782 f26809b:0 24820<<0:1<<0
cmsk 0000 smsk 0000 s0 00000000/00000000
FWD:ISN inc 0 sumd 0
REV:ISN inc 0 sumd 0
forward: pkts in 0 bytes in 0 pkts out 1 bytes out 48
backward: pkts in 1 bytes in 40 pkts out 0 bytes out 0
pass out quick keep state IPv4
pkt_flags & 0(10000) = 1000, pkt_options & ffffffff = 0,
ffffffff = 0
pkt_security & ffff = 0, pkt_auth & ffff = 0
is_flx 0 0x1 0x1 0
interfaces: in X[],X[hme0] out X[hme0],X[]
Sync status: not synchronized
I don't get it. Shouldn't the RST be allowed back in to terminate the
connection and delete the state table entry? Below are the rules I am testing
with. Please note that this is a lab server and the final rules won't have so
many exceptions - this is for testing basic function only. I don't see how the
rules would affect this since this RST should be allowed back in as part of the
initial handshake.
# ipfstat -ioh
0 pass out quick on lo0 all
146 pass out quick on hme0 proto tcp from any to any flags S/FSRPAU keep state
322 pass out quick on hme0 all
0 pass in quick on lo0 all
329 block in log quick on hme0 proto tcp from any to any head 10
444 block in quick on hme0 proto udp from any to any head 11
27 block in quick on hme0 proto icmp from any to any head 12
0 block in log quick on hme0 all
# Group 10
0 block in quick on hme0 proto tcp from any to any with short group 10
0 pass in quick on hme0 proto tcp from 10.11.2.13/32 to any flags S/FSRPAU keep
state keep frags group 10
0 pass in quick on hme0 proto tcp from any to any port = ftp flags S/FSRPAU
keep state keep frags group 10
2 pass in quick on hme0 proto tcp from any to any port = 22 flags S/FSRPAU keep
state keep frags group 10
0 pass in quick on hme0 proto tcp from any to any port = telnet flags S/FSRPAU
keep state keep frags group 10
0 pass in quick on hme0 proto tcp from 10.11.2.5/32 to any port = vmd flags
S/FSRPAU keep state keep frags group 10
0 pass in quick on hme0 proto tcp from 10.11.2.9/32 to any port = vmd flags
S/FSRPAU keep state keep frags group 10
0 pass in quick on hme0 proto tcp from 10.11.1.26/32 to any port = vmd flags
S/FSRPAU keep state keep frags group 10
0 pass in quick on hme0 proto tcp from any to any port = bprd flags S/FSRPAU
keep state keep frags group 10
0 pass in quick on hme0 proto tcp from 10.11.2.5/32 to any port = bpdbm flags
S/FSRPAU keep state keep frags group 10
0 pass in quick on hme0 proto tcp from 10.11.2.9/32 to any port = bpdbm flags
S/FSRPAU keep state keep frags group 10
0 pass in quick on hme0 proto tcp from 10.11.1.26/32 to any port = bpdbm flags
S/FSRPAU keep state keep frags group 10
4 pass in quick on hme0 proto tcp from any to any port = bpjava-msvc flags
S/FSRPAU keep state keep frags group 10
8 pass in quick on hme0 proto tcp from any to any port = vnetd flags S/FSRPAU
keep state keep frags group 10
0 pass in quick on hme0 proto tcp from 10.11.2.5/32 to any port = bpcd flags
S/FSRPAU keep state keep frags group 10
0 pass in quick on hme0 proto tcp from 10.11.2.9/32 to any port = bpcd flags
S/FSRPAU keep state keep frags group 10
0 pass in quick on hme0 proto tcp from 10.11.1.26/32 to any port = bpcd flags
S/FSRPAU keep state keep frags group 10
5 pass in quick on hme0 proto tcp from any to any port 511 >< 1025 flags
S/FSRPAU keep state keep frags group 10
2 pass in quick on hme0 proto tcp from any to any port 4799 >< 5001 flags
S/FSRPAU keep state keep frags group 10
# Group 11
255 pass in quick on hme0 proto udp from 10.11.2.13/32 to any group 11
# Group 12
27 pass in quick on hme0 proto icmp from any to any icmp-type echorep group 12
0 pass in quick on hme0 proto icmp from any to any icmp-type echo group 12
0 pass in quick on hme0 proto icmp from any to any icmp-type 30 group 12
Any ideas?
