Cameron Simpson
2013-04-05 04:21:01 UTC
TL;DR: I have filtering situation that I imagine is a bit unusual
which I wish to use to work around a problem with an ISP; to do it
I need to filter some packets _before_ they're matched by the PF
states.
First the background, then what I want to do to work around the issue.
Background:
I've go an OpenBSD 5.1 Soekris box as my local firewall/NAT box.
We have an ISP connection that receives sporadic and spurious RST
packets for outbound connections. Some connections work, and some
are aborted with an RST very soon after opening.
Our ISP say that have no stateful stuff and the only real filtering
they do is packet dropping in some circumstances (I was imagining
a stateful firewall running out of state memory somewhere).
Now I have a new hypothesis; I have yet to prove it: the ISP's
backhaul has redundant links with stateful firewalls on them, and
they do not synchronise fast enough.
Under this hypothesis, our outbound SYN goes out and establishes a
connection and some state in a firewall on an outbound link
somewhere. Further packets on that connection go out and are sent
down another link whose firewall does not yet know about the new connection,
eliciting am RST from the that firewall.
This would explain why this seems to happen at the start of a
connection, but successful connections can stay up for a very long
time.
The hack:
Barring getting the ISP or their backhaul to trace this (and maybe
dispatch packets to the links based on hash instead of maybe round
robin), I was proposing to drop inbound RST packets altogether at
my local firewall.
This has obvious downsides, but should generally produce happiness
in local applications because the spurious RST packets won't abort
connections and TCP will recover as soon as the other (hypothetical)
firewalls learn the state.
To do this I need to filter inbound packets before PF's "known
states first" stuff matches the RST and passes it back in.
Because we use NAT on outbound connections I must establish state,
so I was proposing something looking like this:
ISP -> satellite-modem -> FW
Inside my local firewall:
interface-with-stateless-PF-filtering
drop inbound RST packets here
vlan (or something) with stateful rules
PF rules doing NAT etc
but I don't know how to set this up.
I was figuring the stateless rules would look a bit like this:
drop quick on $if_sat flags R/R no state
pass in on $if_sat binat to 1.2.3.4
Ignore the bad syntax on that second rule. Then internally I'd have
some kind of virtual interface with 1.2.3.4 on it running conventional
NAT rules; those currently running on my $if_sat would be moved to here.
Can someone point me in a direction to set something like this up please?
Or to suggest a better approach to prefiltering packets?
Personally I'd prefer to have a mode for PF where it ran all packets
through the rules regardless of state for some pre-filtering and
then let my put in a rule like:
pass in quick on $if_nat matching states
after the prefiltering, to do PF's usual match-states-first at that
point, with the conventional rules following.
Suggestions welcomed!
Cheers,
which I wish to use to work around a problem with an ISP; to do it
I need to filter some packets _before_ they're matched by the PF
states.
First the background, then what I want to do to work around the issue.
Background:
I've go an OpenBSD 5.1 Soekris box as my local firewall/NAT box.
We have an ISP connection that receives sporadic and spurious RST
packets for outbound connections. Some connections work, and some
are aborted with an RST very soon after opening.
Our ISP say that have no stateful stuff and the only real filtering
they do is packet dropping in some circumstances (I was imagining
a stateful firewall running out of state memory somewhere).
Now I have a new hypothesis; I have yet to prove it: the ISP's
backhaul has redundant links with stateful firewalls on them, and
they do not synchronise fast enough.
Under this hypothesis, our outbound SYN goes out and establishes a
connection and some state in a firewall on an outbound link
somewhere. Further packets on that connection go out and are sent
down another link whose firewall does not yet know about the new connection,
eliciting am RST from the that firewall.
This would explain why this seems to happen at the start of a
connection, but successful connections can stay up for a very long
time.
The hack:
Barring getting the ISP or their backhaul to trace this (and maybe
dispatch packets to the links based on hash instead of maybe round
robin), I was proposing to drop inbound RST packets altogether at
my local firewall.
This has obvious downsides, but should generally produce happiness
in local applications because the spurious RST packets won't abort
connections and TCP will recover as soon as the other (hypothetical)
firewalls learn the state.
To do this I need to filter inbound packets before PF's "known
states first" stuff matches the RST and passes it back in.
Because we use NAT on outbound connections I must establish state,
so I was proposing something looking like this:
ISP -> satellite-modem -> FW
Inside my local firewall:
interface-with-stateless-PF-filtering
drop inbound RST packets here
vlan (or something) with stateful rules
PF rules doing NAT etc
but I don't know how to set this up.
I was figuring the stateless rules would look a bit like this:
drop quick on $if_sat flags R/R no state
pass in on $if_sat binat to 1.2.3.4
Ignore the bad syntax on that second rule. Then internally I'd have
some kind of virtual interface with 1.2.3.4 on it running conventional
NAT rules; those currently running on my $if_sat would be moved to here.
Can someone point me in a direction to set something like this up please?
Or to suggest a better approach to prefiltering packets?
Personally I'd prefer to have a mode for PF where it ran all packets
through the rules regardless of state for some pre-filtering and
then let my put in a rule like:
pass in quick on $if_nat matching states
after the prefiltering, to do PF's usual match-states-first at that
point, with the conventional rules following.
Suggestions welcomed!
Cheers,
--
Cameron Simpson <***@zip.com.au>
Japanese phrase for the day: ikajanai ``(lit.) I am not a squid''
Made-up Japanese word for the day: ika-dou ``The way of the squid''.
- Jeffrey Eric Francis Friedl, ***@omron.co.jp, DoD##4
Cameron Simpson <***@zip.com.au>
Japanese phrase for the day: ikajanai ``(lit.) I am not a squid''
Made-up Japanese word for the day: ika-dou ``The way of the squid''.
- Jeffrey Eric Francis Friedl, ***@omron.co.jp, DoD##4