[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Public web server behind a PF bridge, crap clients



I'm going to revisit this topic... as a comment from eWeek's OpenHack 4
caught my attention.  On the following page, in the left column...
http://www.eweek.com/image_popup/0,3662,s=25546&iid=18512,00.asp
Regarding OpenBSD 3.2 PF:
  *** We did notice a few problems where pf rules we wrote using the
firewall's "keep state" option would incorrectly block packets returned as a
result of an incoming connection ***
That is a pretty good description of what I thought we  observed that
prompted me to start this thread.  In our case, we suspected the problem
seemed to favor some users over others.  So I had assumed it was the browser
/ TCPIP stack thee web browser was using?
Maybe the common thread is:  Windows 2000 IIS behind the firewall.
When we used "keep state" on our out rules, we would see port 80 packets
originating from our IIS server were sometimes showing in the log as
dropped. But we could not figure out why some people have this happen and
not others.  At the time we were busy and had to resort to "pass out all on
port 80" style rules to get around the problem.
At this point I'm still at the discussion stage.  We are in the process of
updating our PF bridge firewalls from 3.1-STABLE to 3.2-STABLE right now, so
I don't have logs to show of this.  But I am interested if anyone else can
confirm this type of problem so we can help focus where to look.
We are using Intel ISP1100 servers for our PF firewalls, using the onboard
fxp adapters for the bridge.  These seem to be on the "good stuff" in terms
of recommended OpenBSD hardware.
After we get the firewall on 3.2-stable, I will revert back to using "keep
state" or "modulate state" instead of our pass out all and see what we find.
Again, anyone else in same boat?
Thanks.
  Stephen Gutknecht
-----Original Message-----
From: Stephen Gutknecht (OBSD-PF) [mailto:[email protected]] 
Sent: Saturday, November 23, 2002 3:02 AM
To: [email protected]
Subject: Public web server behind a PF bridge, crap clients
[snip]
We have a OpenBSD 3.1 firewall protecting a public web site.  We are using
good hardware (Intel ISP1100 1u server / Intel Pro Ethernet adapters) by all
accounts, etc.  At times, the only way we have been able to get a particular
user in is to make a special "pass all on port 80" rule for their IP.
My question:  How well does stateful inspection work with crappy clients?
Windows 95 users?  Windows for Workgroups 3.11 TCP/IP stack?  Macintosh 8.x
tcp/ip stacks, etc?  Are there cases where using stateful inspection, and
not using "allow all port 80" is preventing _users on "broken old systems"_
from accessing a public site?
On one had, you want your users to reach your site - but you also want to be
secure (prevent spoofing, etc).  I wondered if people knew examples of some
broken client configurations that are known to cause problems.