[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re[2]: Note: states with asymmetric routing

>>   Stateful inspection on gateway can hamper tcp-connections, when
>> inbound or outbound packets goes another route (i.e. when one of
>> directions not goes thru gateway).
kpo> well, yeah. How is a firewall supposed to deduce state if it doesn't
kpo> see any replies? psychic deduction?
   You, totally, miss my point.
   I don't asking question, why PF behave this way. I am programmer,
and I guess, can understand it enough.
   Only thing I want to do - just to notify PF developers and users,
that stateful inspection seems to does not applicable for cases with
asymmetric routing.
>>   Connection works fine on low rate, but fast transfers stops on
>> each 64K (because suddenly PF stops passing packets).
>>   I guess, it is not bug, just some feature (like some
>> tcp-window-related state protection). So think, is there reasons to
>> correct this PF behavior.
found something on man
--------------8<--- man pf.conf ---8<-------------
This has several advantages.  Comparing a packet to a state involves
checking its sequence numbers.  If the sequence numbers are outside the
narrow windows of expected values, the packet is dropped.  This prevents
spoofing attacks, such as when an attacker sends packets with a fake
source address/port but does not know the connection's sequence numbers.
--------------8<--- man pf.conf ---8<-------------
kpo> Correct? If you can design a prescient packet filter, then more
kpo> power to you.
  In general, prescience is hardware problem :)
  Seriously, there are couple of things can be done for solving such
case, w/o prescience. Of course, ONLY if developers think that it's
important enough.
  For example, it is posible, to make PF smart enough to detect
asymmetric routing and turn off checks, that cannot be performed on
such states.
  Or make ability to select more "light" inspection mode for such
cases (w/ postfix like "keep light-state" :).
  Anyway, I can't and do not try to decide something for developers.
Ilya A. Kovalenko                  (mailto:[email protected])
S.A. SpeciaEQ SW section
JSC Oganer-Service