IP Filter FAQ

Previous | TOC | Next

IV. COMMON PROBLEMS WITH IP FILTER (NON-OS SPECIFIC)

  1. I have file transfer (FTP or HTTP) and if download speed is more then 100 KB/sec, connection breaks.
  2. I have to keep clearing the state table or IPF dies, why?
  3. The default ipfboot script flushes the state table. Is this necessary every time you change some rule or just when that rule has a 'keep state' in it and there are existing state table entries that would be affected?
  4. Sending mail is horribly slow!
  5. I can't connect to IRC.
  6. When I try to load the LKM (if_ipl.o), I get "fr_checkp" (or other) unresolved symbols. (FreBSD, OpenBSD, SunOS)
  7. When I do a make, it complains about -I(TOP).
  8. I'm using rdr for a webserver behind IPF and the world can see it just fine, but the internal machines can't surf to it via the external IP address.
  9. Long ftp transfers and some other long single-connection sessions fail.
  10. I've set up to use the ftp-proxy in my ipnat.conf file, and it works fine from NAT'ed machines, but I can't ftp from the firewall machine unless I put a rule in ipf.conf to pass port 20/tcp in from remote machines. How do I get the ftp proxy to work from the firewall machine too?
  11. I'm using NAT and I can't ping the same machine on the internet from two different machines on my LAN at the same time.
  12. Keep state stops working - it won't make new states.
  13. I'm using log body in my rules but the body of the packet isn't getting logged.
  14. I have an FTP server behind an IPF firewall, and I'm having problems serving passive FTP.
  15. I can't seem to use round-robin load balancing with more than two hosts!
  16. I'm having problems with ipnat (e.g. can't get proxies to work with bimap, or some other problem).
  17. I'm using interface/32, 0/0 or 0/32, and it doesn't work!
  18. I stop/unload IPF, but it magically reloads itself!
  19. I'm having problems connecting to Cisco VPNs through IPF NAT.
  20. I'm trying to remove entries from a pool and getting errors

  1. I have file transfer (FTP or HTTP) and if download speed is more then 100 KB/sec, connection breaks.
    Try adding flags S to each one of your TCP rules that has keep state in it.

    What might be happening is you're getting state entries for more than just the first packet of each connection and your state table is filling up. Previous versions of IPF did this when a packet arrived slightly out of window - it would not associate it with the state entry. The solution was to only add a state table entry for those packets with a SYN flag.

    This should no longer be required. However, many users will tell you it is a good security practice to use flags S with TCP rules anyway.
  2. I have to keep clearing the state table or IPF dies, why?
    See above.
  3. The default ipfboot script flushes all rules. Is this necessary every time you change some rule?
    This is done because depending on your ruleset, a new rule added may not be affective based on old rules, and also because the script reads in the entire ruleset anyway, so it will prevent duplicates. The script uses ipf -Fa which flushes rules but not state table entries. To flush state table entires use ipf -FS.
  4. Sending mail is horribly slow!
    You're probable blocking stuff to your ident port, 113. Change that rule so that you send a TCP reset:
    block return-rst in quick on ppp0 proto tcp from any to any port = 113
    Solaris users, see VII-1
  5. I can't connect to IRC.
    See above.
  6. When I try to load the LKM (if_ipl.o), I get "fr_checkp" (or other) unresolved symbols. (FreBSD, OpenBSD, SunOS)
    Make sure you have a kernel that has been correctly patched using the patches supplied with IP Filter, has "IPFILTER" in the config file and is the current kernel you are using.

    For FreeBSD/NetBSD, you will need to load if_ipl.o in an rc script (when securelevel is 0) or make sure that securelevel is -1 at runtime.
  7. When I do a make, it complains about -I(TOP).
    You're using the GNU version of make. Use the standard version of make that comes with your operating system.
  8. I'm using rdr for a webserver behind IPF and the world can see it just fine, but the internal machines can't surf to it via the external IP address.
    For the purposes of explaining this, lets take the following example:
    (internet)--->(if0[OS]if1)----|----(httpd on 192.168.0.2)
                                         |
                                         |----(browser on 192.168.0.3)
    
    if0 is some.isp.ip.addr
    if1 is 192.168.0.1

    I have a rdr on the external interface, written as:
    rdr if0 0.0.0.0/0 port 80 -> 192.168.0.2 port 80

    Now, IPFilter's rdr function does not natively support "bouncing" the connection (i.e. a packet coming in and leaving the same interface). The redirection happens only to packets coming in on the external interface. If you want to surf to 192.168.0.2 from the browser on 192.168.0.3, you can either do so directly via http://192.168.0.2/ (or by a CNAME in your DNS), or by using a "bounce" utility on the firewall to reflect inbound packets on if1 towards 192.168.0.2. By nature neither the OS nor ipf will do this for you. If you search the ipf archives you will find some bounce utilities. The golden RDR rule: rdr works *only* when the packet traverses the firewall (i.e. in one interface and out on another interface).
  9. Long ftp transfers and some other long single-connection sessions fail.
    You probably have an ipf.conf rule that looks something like:
    block return-rst in on ext-interface proto tcp all
    A rule like this will send an RST in response to an out-of-sequence ACK from the other end of a long ftp transfer, breaking the connection. Try replacing your rule with:
    block in on ext-interface proto tcp all
    block return-rst in on ext-interface proto tcp all flags S
    which will send RST only to SYN packets.
  10. I've set up to use the ftp-proxy in my ipnat.conf file, and it works fine from NAT'ed machines, but I can't ftp from the firewall machine unless I put a rule in ipf.conf to pass port 20/tcp in from remote machines. How do I get the ftp proxy to work from the firewall machine too?
    Add a second ftp proxy rule to your ipnat.conf:
    map ext-interface firewall-ip/32 -> firewall-ip/32 proxy port ftp ftp/tcp
  11. I'm using NAT and I can't ping the same machine on the internet from two different machines on my LAN at the same time.
    It isn't possible to map ports on ICMP packets. Hence, once a state table entry is set up to a particular target, only one machine can ping that target until the state table entry expires.

    For TCP and UDP, portmapping allows simultaneous connections to external targets from multiple machines in the LAN.

    There will supposedly be a workaround for this in the 4.x series.
  12. Keep state stops working - it won't make new states.
    There may be many reasons for this including that mentioned in question 1 of this section. However, there are other possibilities such as you have a very busy firewall and you're filling the state table. For this you have a few options: you can enlarge the state table, tweak some IPF values, or both. See the III-25 for details on enlarging the state table. Here are some values to tweak though.
    ipf.fr_tcpidletimeout=7200
    ipf.fr_tcpclosewait=120
    ipf.fr_tcplastack=120
    ipf.fr_tcptimeout=240
    ipf.fr_tcpclosed=60
    ipf.fr_tcphalfclosed=300
    ipf.fr_udptimeout=90
    ipf.fr_icmptimeout=35

    These values will be in very different places depending on your OS, such as /etc/rc.sysctl, /etc/sysctl.conf, or /etc/system.
  13. I'm using log body in my rules but the body of the packet isn't getting logged.
    You need to use the -b command line option to ipmon.
  14. I have an FTP server behind an IPF firewall, and I'm having problems serving passive FTP.
    The IPF How-To gives a good explanation of this. The client will try to connect to the server's internal IP address because that's the way passive FTP works: the server tells the client its IP address in the payload and the client connects to it.

    The solution is to explicitly tell your FTP server what to report as its IP address, and give it a range of ports to give out as well. You will then need to redirect traffic from those ports on your IPF box to the FTP server. Each FTP server is different, and you'll need to read the manual for your specific software, but to give an example, you can specificy this information in WU-FTPd's configuration file as follows: passive ports 0.0.0.0/0 32768 49151
    passive address your.pub.IP.addr 0.0.0.0/0

    At the time of writing, it's been reported that Microsoft IIS's FTP server is not capable of being configured this way. However, most Unix FTP servers should have an option for this somewhere.
  15. I can't seem to use round-robin load balancing with more than two hosts!
    If you use a rule like:
    rdr x.x.x.x port 80 -> y.y.y.1,y.y.y.2,y.y.y.3 port 80 tcp round-robin

    You will get an error like missing fields - 2nd port (,). This is because you can't put more than two hosts on a single round-robin line. You need to reformat it like this:
    rdr x.x.x.x port 80 -> y.y.y.1,y.y.y.2 port 80 tcp round-robin
    rdr x.x.x.x port 80 -> y.y.y.3 port 80 tcp round-robin

    or better yet like:
    rdr x.x.x.x port 80 -> y.y.y.1 port 80 tcp round-robin
    rdr x.x.x.x port 80 -> y.y.y.2 port 80 tcp round-robin
    rdr x.x.x.x port 80 -> y.y.y.3 port 80 tcp round-robin

    The two examples above act exactly the same, but notice that the second example is much easier to manage. If one of your servers goes down, it's very easy to take it out of the loop quickly with the second example. In the first example, if y.y.y.1 or y.y.y.2 goes down, and you take that line out, you loose two hosts.
  16. I'm having problems with ipnat (e.g. can't get proxies to work with bimap, or some other problem).
    When troubleshooting problems with ipnat remember that rules are process by network size. So a /32 rule will always be applied before a /24 rule, etc. Therefore a ruleset like:
    map ext-interface x.x.x.x/24 -> y.y.y.y/32 proxy port ftp ftp/tcp
    bimap ext-interface x.x.x.a/32 -> y.y.y.y/32
    bimap ext-interface x.x.x.b/32 -> y.y.y.y/32

    The proxy rule will never get matched. Therefore, if you need your bimap rules to be /32, then your proxy rule will need to be /32 to as well. Albeit a pain, the following is the only way to fix the problem:
    map ext-interface x.x.x.a/32 -> y.y.y.y/32 proxy port ftp ftp/tcp
    map ext-interface x.x.x.b/32 -> y.y.y.y/32 proxy port ftp ftp/tcp
    ...
    bimap ext-interface x.x.x.a/32 -> y.y.y.y/32
    bimap ext-interface x.x.x.b/32 -> y.y.y.y/32

    This way the proxy rules will match instead of getting skipped over.
  17. I'm using interface/32, 0/0 or 0/32, and it doesn't work!
    These special aliases do not work in IPF rules, or in IPNat rdr rules. They only work in IPNat's map and bimap rules.
  18. I stop/unload IPF, but it magically reloads itself!
    Chances are you are using IPF as a loadable kernel module. If not, then you want:
    ipf -D

    Which will disable the filter. However, if you are using a loadable kernel module, that option is not available to you. You can unload the module, but it will get reloaded the next time the device associated with IPF is accessed. So your best bet is to switch to an empty rulset:
    ipf -s

    That assumes your other ruleset actually is empty. Alternatively, you could unload the modules, and then mv the modules out of the way. This is a bit ugly, but it will work as a temporary way of keeping IPF out of the way for testing.
  19. I'm having problems connecting to Cisco VPNs through IPF NAT.
    The Cisco VPN Concentrators are often configured to expect a source port of 500 in addition to the destination port of 500. Since NAT, by default, changes the source port, this breaks. Add a line like so:
    map le0 from x.x.x.x/24 port=500 to ip.of.vpn/32 -> a.b.c.d/32

    to your ipnat.conf.
  20. I'm trying to remove entries from a pool and getting errors.
    If you try to remove an entry from an ippool and get remove_pool:SIOCLOOKUPDELNODE: No such file or directory, you're running an older version of IP Filter 4. This bug is fixed in recent versions.

    At the time of writing, this bug was in the IP Filter included with Solaris 10. If y ou are using this version your options are upgrade to the open-source version of IP Filter, or file a bug with Sun.
Previous | TOC | Next