[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

synproxy mysteriously stopped working???



Hi,
About 3 weeks ago I built a firewall using OpenBSD 3.4.  It was working
fine.  Yesterday we had an extended power outage and I had to shut
everything down and then turn it back on afterwards.  Suddenly I could no
longer receive incoming TCP connections for FTP, HTTP, SMTP, SSH, etc.
Outgoing connections still worked fine.
Here's exactly what I saw.  From the outside I did, for example, `telnet
<address> 80'.  This triggered an `rdr' rule.  I could see the incoming
packet in the packet log, with its destination address correctly rewritten.
`pfctl -vv -s state' showed the state for the connection (the number of
reply bytes was always 0).  But according to `tcpdump', the rewritten packet 
just never went out the internal interface.  But I could originate a
connection from the firewall to the internal machine just fine, which ruled
out a routing problem.
I was thoroughly baffled and frustrated.  Thinking it might help me see
better what was going on, I went into `pf.conf' and changed all occurrences
of `synproxy state' to `modulate state' and reloaded the ruleset.
Everything suddenly started working!!!
I repeat, this ruleset had been working fine with `synproxy state' for a
good 3 weeks, and I don't think this was even the first time I had rebooted
the firewall.  Could I have changed something that made synproxy stop
working?  Conceivably, but I have no idea what and don't recall changing
anything.
Can anyone fathom what might be going on?  I would like to have SYN flood
protection if possible.
I enclose my `pf.conf' below (as it was before I changed `synproxy' to
`modulate').  It's a little hairy because there are two external interfaces,
a cable modem with dynamic IP and a DSL line with static IP.  The
64.220.144.0/26 subnet is an IP address block I once had which I am still
using internally -- yes, I understand the consequences, and renumbering the
LAN is on my to-do list.
Please CC: me in replies as I am not on the list.
-- Scott
################################################################################
# Macros
# Internal interface, 192.168.1 subnet
if_int = "rl0"
# DMZ interface, 192.168.0 subnet
if_dmz = "xl0"
# DSL interface, 66.88.144.192/29
if_dsl = "rl1"
dsl = "( rl1 66.88.144.193 )"
# Cable modem interface, DHCP
if_cm = "ep1"
################################################################################
# Tables
################################################################################
# Options
set block-policy drop
################################################################################
# Traffic Normalization
scrub all fragment reassemble
################################################################################
# Queueing
################################################################################
# Translation
nat on $if_cm from 192.168.1.0/24 to ! 192.168.1.1 -> ($if_cm)
nat on $if_dsl from 192.168.1.0/24 to ! 192.168.1.1 -> 66.88.144.194
nat on $if_cm from 192.168.0.0/24 to ! 192.168.0.1 -> ($if_cm)
nat on $if_dsl from 192.168.0.0/24 to ! 192.168.0.1 -> 66.88.144.194
# Using `rdr' rather than `binat' so these are individually controllable
rdr on $if_dsl inet proto tcp from any to 66.88.144.197 port http -> 192.168.0.2
#rdr on $if_dsl inet proto tcp from any to 66.88.144.194 -> 192.168.1.34
#rdr on $if_dsl inet proto tcp from any to 66.88.144.195 -> 192.168.1.35
#rdr on $if_dsl inet proto tcp from any to 66.88.144.196 -> 192.168.1.36
#rdr on $if_dsl inet proto tcp from any to 66.88.144.198 -> 192.168.1.38
rdr on $if_dsl inet proto tcp from any to 66.88.144.192/29 port smtp -> 192.168.0.2
rdr on $if_dsl inet proto tcp from any to 66.88.144.196 port ssh -> 192.168.1.36
rdr on $if_dsl inet proto tcp from any to 66.88.144.197 port ssh -> 192.168.1.37
rdr on $if_dsl inet proto udp from any to 66.88.144.194 port domain -> 192.168.0.2
rdr on $if_dsl inet proto udp from any to 66.88.144.197 port domain -> 192.168.0.2
################################################################################
# Packet Filtering
pass in on $if_int all keep state
block out log on $if_int all
pass out on $if_int inet from { 192.168.0.0/24, 192.168.1.1 } to any
antispoof for $if_int inet
pass in on $if_dmz all
pass out on $if_dmz all
antispoof for $if_dmz inet
block in on $if_cm all
block in on $if_dsl all
#pass in on $if_dsl all
#pass out on $if_dsl all
########
# From the `pf.conf' man page, with mods
# ICMP
# pass out/in certain ICMP queries and keep state (ping)
# state matching is done on host addresses and ICMP id (not type/code),
# so replies (like 0/0 for 8/0) will match queries
# ICMP error messages (which always refer to a TCP/UDP packet) are
# handled by the TCP/UDP states
pass in on $if_cm inet proto icmp all icmp-type 8 code 0 keep state
pass out on $if_cm inet proto icmp all icmp-type 8 code 0 keep state
pass in on $if_dsl reply-to $dsl inet proto icmp all icmp-type 8 code 0 keep state
pass out on $if_dsl inet proto icmp all icmp-type 8 code 0 keep state
pass out on $if_int inet proto icmp all
# UDP
# pass out all UDP connections and keep state
pass out on $if_cm proto udp all keep state
pass out on $if_dsl proto udp all keep state
# pass in certain UDP connections and keep state (DNS)
pass in on $if_dsl reply-to $dsl inet proto udp from any to any port domain keep state
#pass in on $if_dsl reply-to $dsl inet proto tcp from any to any port domain synproxy state
pass out on $if_int inet proto udp from any to any port { domain, kerberos, kpasswd, kerberos-adm, kerberos-iv, kerberos_master }
# TCP
# pass out all TCP connections and modulate state
pass out on $if_cm inet proto tcp all modulate state
pass out on $if_dsl inet proto tcp all modulate state
# pass in certain TCP connections and keep state (SSH, SMTP, DNS, IDENT)
pass in log on $if_cm inet proto tcp from any to any port { ssh } flags S/SA synproxy state
pass in log on $if_dsl reply-to $dsl inet proto tcp from any to any port { ssh, smtp, domain, http, ftp } flags S/SA synproxy state
# This is for FTP data connections (via our reverse proxy).
pass in on $if_dsl reply-to $dsl inet proto tcp from any to 66.88.144.194 port >= 49152 flags S/SA synproxy state
pass out on $if_int proto tcp from any to any port { ssh, smtp, domain, http, kerberos, kpasswd, klogin, kshell, ekshell, kerberos-adm, kerberos-iv, kerberos_master, krb_prop, krbupdate, rkinit, eklogin }