IPFilter 4.1.23

In the never ending quest for perfection and chasing platform changes, this latest update fixes some bugs that are new and some that are old.

I've also added this extra line to "ipfstat -s" output:

        82% hash efficiency

The routing header problem is perhaps the most serious from a security perspective - if you weren't (or aren't) blocking these packets explicitly, e.g

block in quick with v6hdrs routing

then the presence of the routing header would cause ipf to not find the next (TCP/UDP) header in the correct place. A regression test (ipv6.5) has been added to check for dealing with IPv6 routing header packets.

Darren


4.1.23 - Released 31 May 2007

  • NAT was not always correctly fixing ICMP headers for errors
  • some TCP state steps when closing do not update timeouts, leading to them being removed prematurely.
  • fix compilation problems for netbsd 4.99
  • protect enumeration of lists in the kernel from callout interrupts on BSD without locking
  • fix various problems with IPv6 header checks: TCP/UDP checksum validation was not being done, fragmentation header parsed dangerously and routing header prevented others from being seen
  • fix gcc 4.2 compiler warnings
  • fix TCP/UDP checksum calculation for IPv6
  • fix reference after free'ing ipftoken memory

4.1.22 - Released 13 May 2007

  • fix endless loop when flushing state/NAT by idle time
  • 4.1.21 - Released 12 May 2007

    • show the number of states created against a rule with "-v" for ipfstat
    • fix build problems with FreeBSD
    • make it possible to flush the state table by idle time and TCP state
    • fix flushing out idle connections when state/NAT tables fill
    • print out the TCP state population with ipfstat/ipnat
    • stop creation of state table orphans via return-\*/fastroute
    • fix printing out of rule groups - they now only appear once

    4.1.20 - Released 30 April 2007

    • adjust TCP state numbers, making 11 closed (was 0) to better facilitate detecting closing connections that we can wipe out when a SYN arrives that matches the old
    • make it compile on Solaris10 Update3
    • structures used for ipf command ioctls weren't being freed in timeout fashion on solairs
    • use NL_EXPIRE, not ISL_EXPIRE, for expiring NAT sessions
    • adjust TCP timeout values and introduce a time-wait specifc timeout
    • to get a better TCP FSM emulation and one that can hopefully do a better job of cleaning up in a speedy fashion than previous
    • refactor the automatic flushing of TCP state entries when we fill up, but use the same algorithm as before but now it hopefully works
    • only 2 out of 4 interface names were being changed by ipfs when interface renaming was being used for state entries
    • add ipf_proxy_debug to ipf-T
    • matching of last fragments that had a number of bytes that wasn't a multiple of 8 failed
    • some combinations of TCP flags are considered bad aren't picked up as such, but these may be possible with T/TCP

    4.1.19 - Released 22 February 2007

    • Fix up compilation problems with NetBSD and Solaris.

    4.1.18 - Released 18 February 2007

    • fix compiling on Tru64
    • fix listing out filter rules with ipfstat (delete token at end of the list and detect zero rule being returned.)
    • fix extended flushing of NAT tables (was clearing out state tables)
    • fix null-pointer deref in hash table lookup
    • fix null-pointer deref in hash table lookup
    • fix NAT and stateful filtering with to/reply-to on destination interface

    4.1.17 - Released 20 January 2007

    • make flushing pools that are still in use mark them for deletion and have attempting to recreate them clear the delete flag
    • walking through the NAT tables with ioctls caused lock recursion
    • fix tracking TCP window scaling in the state code

    4.1.16 - Released 20 December 2006

    • allow rdr rules to only differ on the new port number
    • when creating state entry orphans, leave them on the linked list but not attached to the hash table and mark them visible as orphans in "ipfstat -sl"
    • log state removed when unloading differently to allow visible cues
    • return ipf ticks via SIOCGETGS for /dev/ipnat so "ipnat -l" can display ttl
    • abort logging a packet if the mbuf pointer is null when ipflog is called
    • Some NetBSD's have a selinfo.h instead of select.h
    • SIOCIPFFL was using copyoutptr and should have been using bcopy for /dev/ipauth
    • listing accounting rules using ioctl interface wasn't possible
    • fix leakage of state entries due to packets not matching up with NAT
    • improve ICMP error packet matching with state/NAT
    • fix problems with parsing and printing "-" as an interface name in ipnat.conf

    4.1.15 - Released 03 November 2006

    Comments:

    When will this get into solaris? This bug:

    some TCP state steps when closing do not update timeouts, leading to them being removed prematurely.

    Looks like it could be bug 6563892 which would be excellent to have fixed.

    Posted by Chris Gerhard on June 10, 2007 at 07:49 PM PDT #

    I'm using ipf 4.1.10 on Solaris 9, and have a problem that the same connection (with 2 same IPs and 2 same port numbers) can not be established for the second time, right after the first connection is closed. Here's the ipf rules: # Rule to block ICMP type 17 messages (Address mask requests) block in log quick proto icmp icmp-type maskreq # Rule to block any TCP packet for which the SYN flag is not alone # or that doesn't have a state pass in log quick proto tcp flags S keep state keep frags pass out log quick proto tcp flags S keep state keep frags block return-rst in log quick proto tcp block return-rst out log quick proto tcp Here's the ipf log (IPs are changed for privacy) Jul 25 16:41:47 aps17 ipmon[249]: 16:41:46.969448 uplink0 @0:1 p 192.168.10.17,2428 -> 192.168.20.42,2424 PR tcp len 20 64 -S K-S K-F OUT Jul 25 16:41:47 aps17 ipmon[249]: 16:41:46.970418 uplink0 @0:1 p 192.168.20.42,2424 -> 192.168.10.17,2428 PR tcp len 20 64 -AS K-S K-F IN Jul 25 16:41:47 aps17 ipmon[249]: 16:41:46.970546 uplink0 @0:1 p 192.168.10.17,2428 -> 192.168.20.42,2424 PR tcp len 20 52 -A K-S K-F OUT Jul 25 16:41:47 aps17 ipmon[249]: 16:41:47.031519 uplink0 @0:1 p 192.168.10.17,2428 -> 192.168.20.42,2424 PR tcp len 20 80 -AP K-S K-F OUT Jul 25 16:41:47 aps17 ipmon[249]: 16:41:47.032836 uplink0 @0:1 p 192.168.20.42,2424 -> 192.168.10.17,2428 PR tcp len 20 52 -A K-S K-F IN Jul 25 16:41:47 aps17 ipmon[249]: 16:41:47.033330 uplink0 @0:1 p 192.168.20.42,2424 -> 192.168.10.17,2428 PR tcp len 20 276 -AP K-S K-F IN Jul 25 16:41:47 aps17 ipmon[249]: 16:41:47.044669 6x uplink0 @0:1 p 192.168.10.17,2428 -> 192.168.20.42,2424 PR tcp len 20 76 -AP K-S K-F OUT Jul 25 16:41:47 aps17 ipmon[249]: 16:41:47.045278 uplink0 @0:1 p 192.168.20.42,2424 -> 192.168.10.17,2428 PR tcp len 20 52 -A K-S K-F IN Jul 25 16:41:47 aps17 ipmon[249]: 16:41:47.045372 uplink0 @0:1 p 192.168.10.17,2428 -> 192.168.20.42,2424 PR tcp len 20 52 -A K-S K-F OUT Jul 25 16:41:47 aps17 ipmon[249]: 16:41:47.045436 5x uplink0 @0:1 p 192.168.20.42,2424 -> 192.168.10.17,2428 PR tcp len 20 52 -A K-S K-F IN Jul 25 16:41:47 aps17 ipmon[249]: 16:41:47.045713 uplink0 @0:1 p 192.168.10.17,2428 -> 192.168.20.42,2424 PR tcp len 20 76 -AP K-S K-F OUT Jul 25 16:41:47 aps17 ipmon[249]: 16:41:47.046381 uplink0 @0:1 p 192.168.20.42,2424 -> 192.168.10.17,2428 PR tcp len 20 52 -A K-S K-F IN Jul 25 16:41:47 aps17 ipmon[249]: 16:41:47.054489 uplink0 @0:1 p 192.168.10.17,2428 -> 192.168.20.42,2424 PR tcp len 20 88 -AP K-S K-F OUT Jul 25 16:41:47 aps17 ipmon[249]: 16:41:47.055031 uplink0 @0:1 p 192.168.20.42,2424 -> 192.168.10.17,2428 PR tcp len 20 52 -A K-S K-F IN Jul 25 16:41:47 aps17 ipmon[249]: 16:41:47.055320 uplink0 @0:1 p 192.168.10.17,2428 -> 192.168.20.42,2424 PR tcp len 20 76 -AP K-S K-F OUT Jul 25 16:41:47 aps17 ipmon[249]: 16:41:47.055679 uplink0 @0:1 p 192.168.10.17,2428 -> 192.168.20.42,2424 PR tcp len 20 40 -R K-S K-F OUT Jul 25 16:41:47 aps17 ipmon[249]: 16:41:47.055875 uplink0 @0:1 p 192.168.20.42,2424 -> 192.168.10.17,2428 PR tcp len 20 52 -A K-S K-F IN Jul 25 16:41:47 aps17 ipmon[249]: 16:41:47.055951 uplink0 @0:1 p 192.168.10.17,2428 -> 192.168.20.42,2424 PR tcp len 20 40 -R K-S K-F OUT Jul 25 16:41:52 aps17 ipmon[249]: 16:41:52.191109 uplink0 @0:2 b 192.168.10.17,2428 -> 192.168.20.42,2424 PR tcp len 20 64 -S OUT OOW Jul 25 16:41:56 aps17 ipmon[249]: 16:41:55.560387 uplink0 @0:2 b 192.168.10.17,2428 -> 192.168.20.42,2424 PR tcp len 20 64 -S OUT OOW Jul 25 16:42:02 aps17 ipmon[249]: 16:42:02.310369 uplink0 @0:2 b 192.168.10.17,2428 -> 192.168.20.42,2424 PR tcp len 20 64 -S OUT OOW Jul 25 16:42:04 aps17 ipmon[249]: 16:42:03.676088 uplink0 @0:2 b 192.168.10.17,2428 -> 192.168.20.42,2424 PR tcp len 20 40 -R OUT OOW Has this issue been found and fixed as one of the recent release mentioned here? A couple of them sound similar, but I want to confirm.

    Posted by Qing on July 25, 2007 at 12:06 PM PDT #

    Post a Comment:
    Comments are closed for this entry.
    About

    avalon

    Search

    Archives
    « April 2014
    SunMonTueWedThuFriSat
      
    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    25
    26
    27
    28
    29
    30
       
           
    Today