[fw-wiz] TCP issue with PF & SACK

From: Mark Renouf (mark_at_tweakt.net)
Date: 04/23/04

  • Next message: Carric Dooley: "Re: [fw-wiz] Stanford break in" 
    To: firewall-wizards@honor.icsalabs.com
Date: Fri, 23 Apr 2004 00:14:04 -0400

    Greetings... long time lurker, first time poster...

    I have here an OpenBSD 3.4 PF/NAT in front of my cablemodem acting as
    traffic cop. I recently upgraded from 2.9 (with ipf). Now, for the most
    part I understand the rule syntax and have effectively translated my
    ruleset over, things are working ok...

    With one exception...

    I've noticed... certain hosts, I cannot establish a TCP connection with.
    Most obvious are http connections, but I'm sure it would probably occur
    with any tcp based service on those hosts.

    Basically, my firewall receives the SYN/ACK but doesn't "see" it. By
    that I mean, it's never acknowledged, state tables are not affected,
    it's as if it was never sent. But it *is* being received (on the wire at
    least). tcpdump provides proof of that.

    So far, the pattern seems to be remote hosts which support SACK (RFC
    2018). All the hosts which my firewall fails to connect to, are
    returning the SACK Permitted option in the S/A packet.

    Anyone have any hints? Something to check/add to my ruleset? Maybe it's
    a sysctl that needs to be enabled?

    I've tried with 'net.inet.tcp.sack' both enabled and disabled.

    I checked the 3.5 changelog and saw this:

    "Reverse the enable logic for TCP selective acks, so TCP_SACK_DISABLE
    becomes TCP_SACK_ENABLE"

    Not sure if that's relevant...

    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

  • Next message: Carric Dooley: "Re: [fw-wiz] Stanford break in"

    Relevant Pages

    • DNS service over TCP
      ... All working fine except for some hosts cant ... do TCP connections on port 53. ... I've set logging on my firewall and see only ICMP packets ...
      (FreeBSD-Security)
    • RE: [fw-wiz] Vulnerability Response
      ... >>two evolving solution spaces that solve real problems. ... > management effort scales with the number of hosts. ... change control is an _enemy_ when talking about rank and file ... but not even the mjr perfectly secure firewall will work ...
      (Firewall-Wizards)
    • Re: Using netmask ffffffff
      ... The most important thing these new hosts need is connection to the outside world, for internet browsing, webmail access, fetch some documents from remote sites they forgot to bring with them for the conference, etc. ... the new hosts should not be able to directly contact each-other or the majority of my internal network. ... The trouble is that even if I set-up firewall rules to filter their traffic, they can still communicate behind the firewall directly through the switch they are all connected to, as only their internet traffic will go through the firewall. ...
      (comp.unix.bsd.freebsd.misc)
    • Re: XP vulnerabilities?
      ... Note that I also questioned your use of the "Corporate Edition" of Windows. ... If you were indeed running a network of 5 or more hosts for which you ... firewall host running the firewall software through which all your intranet ... export their rules so you can migrate them easily to another host, but NIS ...
      (alt.computer.security)
    • Re: HELP ! ipfw et natd
      ... > So the problem for me was to remark that the DNS of my IPS (193.252.19.3 it ... I don't think the nameserver's IP changed because of the firewall. ... Propagation of the change to your LAN hosts is another thing. ... well) and pointing the LAN hosts to the FreeBSD box as their nameserver. ...
      (comp.unix.bsd.freebsd.misc)