IPFW Problem??

02/06/2013 12:32 darkman2000#1

im gget syn attak and use ipfw on freebsd 9.1 64 bit

ı have a problem :
ipfw install_state too many dynamic rules

my ipfw.conf

Code:

IPF="ipfw -q add"
ipfw -q -f flush

################################################# 
# Giris İzini 127.0.0.1 
################################################# 
$IPF 10 allow all from any to any via lo0 
$IPF 11 deny all from any to 127.0.0.0/8 
$IPF 12 deny all from 127.0.0.0/8 to any 
$IPF 13 deny tcp from any to any frag 

################################################# 
# Şartlar Kodlama 
################################################# 
$IPF 14 check-state 
$IPF 15 allow tcp from any to any established 
$IPF 16 allow all from any to any out keep-state 
$IPF 17 allow icmp from any to any 

################################################# 
# �ıkış İzini   Alan Portlar  
################################################# 
$IPF 18 allow tcp from any to any 22 setup keep-state
$IPF 19 allow tcp from any to any 13000 setup keep-state
$IPF 20 allow tcp from any to any 13001 setup keep-state
$IPF 21 allow tcp from any to any 16000 setup keep-state
$IPF 22 allow tcp from any to any 18000 setup keep-state
$IPF 23 allow tcp from any to any 21000 setup keep-state
$IPF 24 allow tcp from any to any 3306 setup keep-state
$IPF 25 allow tcp from any to any 11005 setup keep-state
$IPF 26 allow udp from any to any 22 keep-state
$IPF 27 allow udp from any to any 13000 keep-state
$IPF 28 allow udp from any to any 13001 keep-state
$IPF 29 allow udp from any to any 16000 keep-state
$IPF 30 allow udp from any to any 18000 keep-state
$IPF 31 allow udp from any to any 21000 keep-state
$IPF 32 allow udp from any to any 3306 keep-state
$IPF 33 allow udp from any to any 11005 keep-state
####################################################
#Saldırı Paket Veri Kısıtlama
####################################################
ipfw add 409 allow tcp from any to me 22 in via em0 setup limit src-addr 20
ipfw add 410 allow tcp from any to me 13000 in via em0 setup limit src-addr 10
ipfw add 411 allow tcp from any to me 13001 in via em0 setup limit src-addr 10
ipfw add 412 allow tcp from any to me 16000 in via em0 setup limit src-addr 10
ipfw add 413 allow tcp from any to me 21000 in via em0 setup limit src-addr 10
ipfw add 414 allow tcp from any to me 18000 in via em0 setup limit src-addr 10
ipfw add 415 allow tcp from any to me 11005 in via em0 setup limit src-addr 5
ipfw add 416 allow tcp from any to me 3306 in via em0 setup limit src-addr 10
ipfw add 419 allow udp from any to me 22 in via em0 setup limit src-addr 80
ipfw add 420 allow udp from any to me 13000 in via em0 setup limit src-addr 80
ipfw add 421 allow udp from any to me 13001 in via em0 setup limit src-addr 80
ipfw add 422 allow udp from any to me 16000 in via em0 setup limit src-addr 80
ipfw add 423 allow udp from any to me 21000 in via em0 setup limit src-addr 80
ipfw add 424 allow udp from any to me 18000 in via em0 setup limit src-addr 80
ipfw add 425 allow udp from any to me 11005 in via em0 setup limit src-addr 50
ipfw add 426 allow udp from any to me 3306 in via em0 setup limit src-addr 50
$IPF 34 allow all from mywebserverip to me
$IPF 36 allow all from myip to any 14000
$IPF 37 allow all from myip to any 14000
$IPF 38 deny all from any to me 14000
$IPF 39 allow all from myip to any 17000
$IPF 40 allow all from myip to any 17000
$IPF 41 deny all from any to me 17000
$IPF 42 allow all from myip to any 20000
$IPF 43 allow all from myip to any 20000
$IPF 44 deny all from any to me 20000
$IPF 45 allow all from myip to any 22000
$IPF 46 allow all from myip to any 22000
$IPF 47 deny all from any to me 22000
$IPF 48 allow all from myip to any 12000
$IPF 49 allow all from myip to any 12000
$IPF 50 deny all from any to me 12000
$IPF 51 allow all from myip to any 14001
$IPF 52 allow all from myip to any 14001
$IPF 53 deny all from any to me 14001
$IPF deny log all from any to any

my sysctl.conf :
net.inet.ip.fw.dyn_max=65536
net.inet.ip.fw.dyn_buckets=1024
net.inet.ip.fw.dyn_ack_lifetime=60

02/06/2013 13:44 Mashkin#2

You should implode all your rules into fewer ones, just as a tip.

Example:

Code:

ipfw add 410 allow tcp from any to me 13000 in via em0 setup limit src-addr 10
ipfw add 411 allow tcp from any to me 13001 in via em0 setup limit src-addr 10
ipfw add 412 allow tcp from any to me 16000 in via em0 setup limit src-addr 10
ipfw add 413 allow tcp from any to me 21000 in via em0 setup limit src-addr 10
ipfw add 414 allow tcp from any to me 18000 in via em0 setup limit src-addr 10

to

ipfw add 410 allow tcp from any to me 13000, 13001, 16000, 21000, 18000 in via em0 setup limit src-addr 10

Next thing: As far as I know, the setup keyword doesn't work with UDP, because UDP has no setup process (handshake) like TCP has.

For your SYN-issue, you should rather try SYN cookies. They have been invented for exactly the purpose of blocking SYN floods and should work better than a firewall.

[Only registered and activated users can see links. Click Here To Register...] gives information about SYN cookies.
A simple sysctl enables them: "net.inet.tcp.syncookies=1".

As for your state overflow, there probably more than 65536 sessions created by SYN packets. SYN packets are pretty small and can stack up easily.
You could decrease the IPFW dynamic rule lifetime, but that could affect your services by kicking out valid users who are idle or have a lag.

02/06/2013 14:20 darkman2000#3

Quote:
Originally Posted by Mashkin
You should implode all your rules into fewer ones, just as a tip.

Example:
Code:
ipfw add 410 allow tcp from any to me 13000 in via em0 setup limit src-addr 10
ipfw add 411 allow tcp from any to me 13001 in via em0 setup limit src-addr 10
ipfw add 412 allow tcp from any to me 16000 in via em0 setup limit src-addr 10
ipfw add 413 allow tcp from any to me 21000 in via em0 setup limit src-addr 10
ipfw add 414 allow tcp from any to me 18000 in via em0 setup limit src-addr 10

to

ipfw add 410 allow tcp from any to me 13000, 13001, 16000, 21000, 18000 in via em0 setup limit src-addr 10
Next thing: As far as I know, the setup keyword doesn't work with UDP, because UDP has no setup process (handshake) like TCP has.

For your SYN-issue, you should rather try SYN cookies. They have been invented for exactly the purpose of blocking SYN floods and should work better than a firewall.

[Only registered and activated users can see links. Click Here To Register...] gives information about SYN cookies.
A simple sysctl enables them: "net.inet.tcp.syncookies=1".

As for your state overflow, there probably more than 65536 sessions created by SYN packets. SYN packets are pretty small and can stack up easily.
You could decrease the IPFW dynamic rule lifetime, but that could affect your services by kicking out valid users who are idle or have a lag.

ı use this thinks ı dont error 5 minutes but after get error

my problem is not fixed help me