Hello,
Yesterday, my mail wasn't explicit. Sorry.
Architecture:
Internet
PF firewall on FreeBSD 5.5
DNS server (bind 9)
This is now a firewall in production: DNS host has 100 packets per second,
there is a mail server with 700.000 smtp hits per day, 'pfctl -si' shows
between 4000 and 8000 state entries during the day.
Here is a more complete trace, thanks to script(1) and screen(1).
. at 08:40:00, I set up the smallest rule:
# date ; pfctl -f /etc/pf/test.conf
Tue Mar 6 08:40:00 MET 2007
No ALTQ support in kernel
ALTQ related functions disabled
# pfctl -sr
block drop in log all
pass out on em0 all keep state
pass out on em1 all keep state
pass in on em0 all flags S/SA keep state
pass in on em1 all flags S/SA keep state
. at 08:40:10, 2 packets are blocked:
# tcpdump -eni pflog0 host 192.134.0.49
08:40:10.848258 rule 0/0(match): block in on em1: IP 192.134.0.49.53 >
129.199.96.11.55186: 47029 NXDomain*-[|domain]
08:40:10.848266 rule 0/0(match): block in on em1: IP 192.134.0.49 >
129.199.96.11: udp
. but the flow is opened:
# pfctl -ss | grep 192.134.0.49
self udp 192.134.0.49:53 <- 129.199.96.11:55186 MULTIPLE:MULTIPLE
self udp 129.199.96.11:55186 -> 192.134.0.49:53 MULTIPLE:MULTIPLE
. and here is tcpdump before the firewall:
# tcpdump -i em1 host 192.134.0.49
08:39:50.901802 IP 129.199.96.11.55186 > 192.134.0.49.53: 33752 [1au]
A? bancoedwards.cl. (44)
08:39:50.903939 IP 192.134.0.49.53 > 129.199.96.11.55186: 33752- 0/2/3
(125)
08:39:52.150305 IP 129.199.96.11.55186 > 192.134.0.49.53: 53112 [1au]
PTR? 8.101.224.88.in-addr.arpa. (54)
08:39:52.153941 IP 192.134.0.49.53 > 129.199.96.11.55186: 53112
NXDomain*- 0/6/6 (1472)
08:39:52.153945 IP 192.134.0.49 > 129.199.96.11: udp
08:39:56.164523 IP 129.199.96.11.55186 > 192.134.0.49.53: 43684 [1au]
PTR? 176.195.118.88.in-addr.arpa. (56)
08:39:56.178153 IP 192.134.0.49.53 > 129.199.96.11.55186: 43684
NXDomain*- 0/6/6 (1472)
08:39:56.178158 IP 192.134.0.49 > 129.199.96.11: udp
-------
so before 08:40:00, there is traffic. See 'pfctl -ss' upper.
And now the blocked packet:
-------
the DNS query (em0 to em1):
08:40:10.844354 IP 129.199.96.11.55186 > 192.134.0.49.53: 47029 [1au]
PTR? 187.239.91.81.in-addr.arpa. (55)
the answer (em1 to em0):
08:40:10.848241 IP 192.134.0.49.53 > 129.199.96.11.55186: 47029
NXDomain*- 0/6/6 (1472)
08:40:10.848246 IP 192.134.0.49 > 129.199.96.11: udp
. here more details on blocked packets (tcpdump -n -v -i em1 host 192.134.0.49):
09:41:06.492426 IP (tos 0x0, ttl 58, id 34397, offset 0, flags [+],
length: 1500)
192.134.0.49.53 > 129.199.96.11.57617: 5828 NXDomain*- 0/6/6
(1472)
09:41:06.492551 IP (tos 0x0, ttl 58, id 34397, offset 1480, flags
[none],
length: 458) 192.134.0.49 > 129.199.96.11: udp
. adding the rule:
pass in quick on em1 inet from any to 129.199.96.11
solves the problem.
So, where is the problem?
Is there a better fix than my rule?
--
Jacques Beigbeder | [EMAIL PROTECTED]
Service de Prestations Informatiques | http://www.spi.ens.fr
Ecole normale supérieure |
45 rue d'Ulm |Tel : (+33 1)1 44 32 37 96
F75230 Paris cedex 05 |Fax : (+33 1)1 44 32 20 75
