Re: Tuning IPFilter when compiled into kernel with default block

[Steve Clark]

Peter Clark wrote:

Grubs wrote:

Hello,

I'm have been struggling with tuning IPFilter in the following environment.

FreeBSD 6.3.
IPFilter is compiled into the kernel (i.e. not using loadable module)
IPFILTER_DEFAULT_BLOCK  option is set in kernel

I am administering the machine remotely over an SSH session so I am always wary of being locked out by the default block condition when ipf pass rules are cleared.

***Q1.  Is it possible to boot FreeBSD with IPFilter using non-

default tuning values (e.g. fr_tcpidletimeout) when IPfilter is compiled into the kernel?

Following the documented methods of setting sysctl parameters in /boot/loader.conf and/or /etc/sysctl.conf fail.

e.g. in /boot/loader.conf

net.inet.ipf.fr_tcpidletimeout=7200

and/or the same setting in /etc/syctl.conf does not alter the default value during bootup (net.inet.ipf.fr_tcpidletimeout = 864000 after reboot)

I understand that after IPfilter is loaded then fr_tcpidletimeout can only be changed when IPFilter is disabled (ipf -D) but can these setting be set during the first load of IPF by the OS?

***Q2. Is disabling and re-enabling IPF using ipf -D/E supposed to clear the loaded rule set and NAT? My testing (below) indicates it seems to. If this is normal - can the man page *please* be updated to say this.

Following the ipf man page example:

ipf -D -T fr_tcpidletimeout,fr_tcpidletimeout=3600 -E

results in a total lockout All network traffic is blocked (the IPFILTER_DEFAULT_BLOCK option). It appears that disabling and re- enabling IPFilter using ipf -D/E *clears the loaded rules* but this fact isn't documented in the man page or documentation that I could find. The state table and NAT rules are also flushed (which makes sense when we are changing the size of it!). With the default block option clearing the PASS rules = death!

I found I needed to include my ipf.rules when re-enabling.

ipf -D -T fr_tcpidletimeout,fr_tcpidletimeout=3600 -E -f /etc/ipf.rules

^^^  this works.

The SSH session is terminated ( I assume the state table is cleared when disabling and re-enabling also), but IP traffic is not blocked and I can start a new SSH session. fr_tcpidletimeout is correctly set to the specified value. sysctl net.inet.ipf.fr_tcpidletimeout: 7200

After reconnecting I then had to manually reload the NAT rules.

ipnat -f /etc/ipnat.rules

So currently I can only boot the server with the default tuning values and then run a script on bootup to re-tune IPF to my requirements (reloading the block rules and nat rules). ***Q.3 Is there a better way I should be using to tune IPF on bootup?

Thanks for any help,
Shane

I too have struggled with this very topic. The only solution I came up with was throwing those variables into rc.local.

vanity# more /etc/rc.local
ipf -D -T fr_icmptimeout=35 -E
ipf -D -T fr_tcpclosewait=120 -E
ipf -D -T fr_tcphalfclosed=300 -E
ipf -D -T fr_tcpidletimeout=7200 -E
ipf -D -T fr_tcplastack=120 -E
ipf -D -T fr_tcptimeout=240 -E
ipf -D -T fr_udptimeout=90 -E
ipf -Fa -f /etc/ipf.rules


which certainly seems to work

vanity# ipf -T list
fr_tcpidletimeout       min 0x1 max 0x7fffffff  current 7200
fr_tcpclosewait min 0x1 max 0x7fffffff  current 120
fr_tcplastack   min 0x1 max 0x7fffffff  current 120
fr_tcptimeout   min 0x1 max 0x7fffffff  current 240
fr_tcphalfclosed        min 0x1 max 0x7fffffff  current 300
fr_udptimeout   min 0x1 max 0x7fffffff  current 90
fr_icmptimeout  min 0x1 max 0x7fffffff  current 35

So I am not sure if there is a "right" way or even a more eloquent way but this does the job for me.

Peter

ipf -D
/sbin/sysctl -w net.inet.ipf.ipf_hostmap_sz=8087
/sbin/sysctl -w net.inet.ipf.fr_statemax=7079
/sbin/sysctl -w net.inet.ipf.fr_statesize=10163
#use these number if you are still exceeding the state table.
#/sbin/sysctl -w net.inet.ipf.fr_statemax=10163
#/sbin/sysctl -w net.inet.ipf.fr_statesize=14983
/sbin/sysctl -w net.inet.ipf.ipf_rdrrules_sz=509
/sbin/sysctl -w net.inet.ipf.ipf_natrules_sz=509
/sbin/sysctl -w net.inet.ipf.ipf_nattable_sz=16889
# optional
#/sbin/sysctl -w net.inet.ipf.fr_tcpidletimeout=7200
#/sbin/sysctl -w net.inet.ipf.fr_tcphalfclosed=7200

# can only be changed with -T option - no sysctl variable
ipf -T ipf_nattable_max=50000
ipf -E
ipf -Fa -f /etc/ipf.cfg
ipnat -f /etc/ipnat.cfg

The way I do it from a script in /usr/local/etc/rc.d/ .
Steve