DaemonForums  

Go Back   DaemonForums > FreeBSD > FreeBSD Security

FreeBSD Security Securing FreeBSD.

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 16th May 2008
bram85 bram85 is offline
Real Name: Bram Schoenmakers
New User
 
Join Date: May 2008
Location: Eindhoven
Posts: 8
Default IPF: Packets Out Of Window

I'm having problems with receiving some mails on a QMail box. To be more specific, only mails with rather larger attachments (+500K). This appears to be a firewall issue, because when the firewall (IPF) is off, the message is received.

I kept track of the blocked packages and saw the following packet being blocked during such SMTP transfer:

Code:
09/05/2008 12:54:23.973302 xl1 @0:28 b 111.111.11.11,58211 -> 222.222.22.22,25 PR tcp len 20 1500 -AP IN OOW
A packet gets Out Of Window and thus is blocked.

I read that this is a IPF issue, which might be fixed in a later versions (running IPF 4.1.8 (416) now). freebsd-update didn't offer IPF updates and I'm not feeling like I'm going to upgrade that server to a newer FreeBSD (running 6.0 now).

What do you suggest, is there a fix without doing updates?
Reply With Quote
  #2   (View Single Post)  
Old 16th May 2008
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 4,125
Default

See http://undeadly.org/cgi?action=artic...20060928081238 section Create TCP states on the initial SYN packet.

Although for pf, this section explains why it is important to keep state on the first packet of the three-way TCP handshake. Doing this prevents problems with TCP window scaling.

IIRC FreeBSD has a sysctl to disable this window scaling as defined in RFC 1323.On OpenBSD (don't have access to a FBSD box) it is called
Code:
net.inet.tcp.rfc1323=1
You first could try to disable this.
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote
  #3   (View Single Post)  
Old 23rd May 2008
bram85 bram85 is offline
Real Name: Bram Schoenmakers
New User
 
Join Date: May 2008
Location: Eindhoven
Posts: 8
Default

Quote:
Originally Posted by J65nko View Post
IIRC FreeBSD has a sysctl to disable this window scaling as defined in RFC 1323.On OpenBSD (don't have access to a FBSD box) it is called
Code:
net.inet.tcp.rfc1323=1
You first could try to disable this.
Thanks, that seems to solve the problems of packets getting out of window.
Reply With Quote
  #4   (View Single Post)  
Old 23rd May 2008
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 4,125
Default

If disabling rfc1323 solves it then your next step would be to revise your ipf ruleset and only create state on the initial TCP packet by using
Code:
flags S/SA
After doing that you should be able to enable TCP windows scaling as defined in RFC 1323
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote
  #5   (View Single Post)  
Old 30th May 2008
bram85 bram85 is offline
Real Name: Bram Schoenmakers
New User
 
Join Date: May 2008
Location: Eindhoven
Posts: 8
Default

I re-enabled the rfc1323 option again and adapted ipf.rules such that I had:

Code:
pass in quick on xl1 proto tcp from any to any port = 25 flags S/SA keep state
but then packets got blocked by the firewall with the OOW addition (see my original post to see what i mean).
Reply With Quote
  #6   (View Single Post)  
Old 30th May 2008
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 4,125
Default

I never used ipf, and I don't know whether ipf actually is capable of dealing with TCP windows scaling. I only know for sure that pf knows how to deal with this
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote
  #7   (View Single Post)  
Old 30th May 2008
richardpl richardpl is offline
Spam Deminer
 
Join Date: May 2008
Location: Croatia
Posts: 284
Default

Quote:
Originally Posted by bram85 View Post
I'm having problems with receiving some mails on a QMail box. To be more specific, only mails with rather larger attachments (+500K).
Are you sure that this happen with all +500K mails whatever they come from?
I asking because I have read, on openbsd-misc, about similar problem with pf and Microsoft servers ....
Reply With Quote
  #8   (View Single Post)  
Old 1st June 2008
bram85 bram85 is offline
Real Name: Bram Schoenmakers
New User
 
Join Date: May 2008
Location: Eindhoven
Posts: 8
Default

Quote:
Originally Posted by richardpl View Post
Are you sure that this happen with all +500K mails whatever they come from?
It doesn't happen with all mails with larger attachments. It seems to depend on the server its communicating with.
Reply With Quote
  #9   (View Single Post)  
Old 2nd June 2008
richardpl richardpl is offline
Spam Deminer
 
Join Date: May 2008
Location: Croatia
Posts: 284
Default

Than it is obviously server issue and not yours. (There are to much crap out there ...)
Reply With Quote
Old 2nd June 2008
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 4,125
Default

If the problem can be solved by disabling TCP windows scaling as OP mentioned in http://daemonforums.org/showpost.php?p=3420&postcount=3 the problem is either caused by ipf or an intermediate router/firewall not understand this scaling mechanism.

Microsoft Vista has this scaling mechanism enabled by default. That is why many people experience these kind of problems only after the launch of Vista.

For some details about TCP window scaling, see http://en.wikipedia.org/wiki/TCP_window_scale_option
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote
Reply

Tags
ipf, oow, tcp window scaling

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
OpenBSD, vpnc and packets forwarding problems Tritone OpenBSD General 3 2nd July 2009 09:59 PM
window manager troubles techmarks FreeBSD General 3 29th September 2008 10:19 PM
Redirecting ESP packets ales OpenBSD Security 2 15th June 2008 09:13 PM
Windomaker and NeXT-like window managers harisman FreeBSD Ports and Packages 3 9th June 2008 01:22 AM
pfsense wireless AP - lost packets AndreyS FreeBSD General 0 7th June 2008 05:38 PM


All times are GMT. The time now is 09:15 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick