'Invalid state' when using stateful ipfw

'Invalid state' when using stateful ipfw

Post by James Lon » Mon, 22 Jan 2001 08:09:43



I'm running a gateway which uses ipfw's stateful rules.
Send me email if you need to see the rules themselves
to diagnose this.

Every day in the security report, I get dozens of lines like
the ones shown below.  To my eye, these give no indication of
which specific rule(s) or IP traffic is creating the invalid
states.

Things seem to be working okay, I just want to know why I'm
seeing these messages, and how I can eliminate them.

Thanks!

Quote:> invalid state: 0x0
> invalid state: 0x0
> invalid state: 0x0
> invalid state: 0x0
> invalid state: 0x0
> invalid state: 0x101
> invalid state: 0x101
> invalid state: 0x101
> invalid state: 0x101
> invalid state: 0x101
> invalid state: 0x101
> invalid state: 0x3
> invalid state: 0x3
> invalid state: 0x3
> invalid state: 0x3
> invalid state: 0x3
> invalid state: 0x3
> invalid state: 0x3
> invalid state: 0x3
> invalid state: 0x3
> invalid state: 0x3
> invalid state: 0x103
> invalid state: 0x103

--
Remove the backwards  nospam_  to reply.
 
 
 

'Invalid state' when using stateful ipfw

Post by Lowell Gilber » Wed, 24 Jan 2001 01:07:09



> I'm running a gateway which uses ipfw's stateful rules.
> Send me email if you need to see the rules themselves
> to diagnose this.

> Every day in the security report, I get dozens of lines like
> the ones shown below.  To my eye, these give no indication of
> which specific rule(s) or IP traffic is creating the invalid
> states.

> Things seem to be working okay, I just want to know why I'm
> seeing these messages, and how I can eliminate them.

Well, this indicates some sort of bug.  There are a bunch of sysctls
that affect the debugging output from ipfw, but they are probably all
set for you already.  Check (from the man page) and be sure, in case
there's more information you could be getting.

If you're running an up-to-date version of FreeBSD, you should
probably submit a Problem Report (you'll need to include a lot more
detail than this news posting did); if not, you should probably try to
upgrade first, because there have apparently been a lot of changes in
the stateful tracking code for ipfw.

Quote:> Thanks!

> > invalid state: 0x0
> > invalid state: 0x0
> > invalid state: 0x0
> > invalid state: 0x0
> > invalid state: 0x0
> > invalid state: 0x101
> > invalid state: 0x101
> > invalid state: 0x101
> > invalid state: 0x101
> > invalid state: 0x101
> > invalid state: 0x101
> > invalid state: 0x3
> > invalid state: 0x3
> > invalid state: 0x3
> > invalid state: 0x3
> > invalid state: 0x3
> > invalid state: 0x3
> > invalid state: 0x3
> > invalid state: 0x3
> > invalid state: 0x3
> > invalid state: 0x3
> > invalid state: 0x103
> > invalid state: 0x103

> --
> Remove the backwards  nospam_  to reply.


 
 
 

1. Combining NATD with IPFW's "keep-state" and "check-state" rules

I'm having some difficulty creating a customized firewall
configuration that uses both address translation and stateful
inspection.  Here's what I'm trying to do:

 1. protect against IP spoofing, both in- and outbound

 2. allow inbound SMTP, FTP, HTTP, and DNS traffic to various hosts
    behind the firewall, statefully (and using NAT)

 3. filter outbound traffic (e.g. only HTTP, FTP, DNS, NTP, RealAudio,
    etc.), statefully, hiding behind the Firewall's external IP.

 4. filter IPSEC-encapsulated traffic

Thanks to /etc/rc.firewall, I've got rules for #1 (admittedly, proper
placement around "divert" and "check-state" rules is going to be an
issue), but the others elude me, especially since the available
documentation (the Handbook, the FAQ, the manual pages, FreeBSD
problem reports, the default firewall rule base in /etc/rc.firewall,
and the contents of /usr/share/examples) is pretty short on examples
of advanced usage.

If someone could point me to alternate resources, especially advanced
IPFW and NATD configurations, I would be very grateful.  I would also
be glad to share my firewall configuration in order to learn these
more advanced techniques.

Kind regards,
#\Matthew

--
"We know for certain only when we know little.  With knowlege, doubt
increases." - Goethe

2. Disksuite (ODS) question

3. can't get stateful ipfw working...

4. Incorrect length indicator set

5. RH6.0: No 'ipfw' or 'ipfwadm'

6. Sendmail / DNS issues

7. Need help for 'ipfw' with 'fwd' option

8. CDE, FVWM and strange errors.

9. 'top' output -> High CPU consumption when thread is in 'sleep' state

10. IPFW question (invalid state 0x3)

11. ipfw: /kernel : invalid state (?)

12. Task States; can't kill 'D' tasks

13. diald, chat log error 'Can't get terminal parameters: Invalid argument'