Ok folks, I'm having a hard time getting my head around this one. I
think I
need an outside point of view. I'm trying to set up some basic
filtering
using stateful filter exceptions. They work fine for all of a couple
of
minutes and then they start to discard packets that should be
permitted.
I've been replacing the failing stateful exceptions with non-stateful

exceptions and getting various services to work more reliably that
way, but
I'd rather use stateful...The interesting thing that I've noticed is
that
Set Filter Debug=ON seems to indicate that the rule that is discarding
the
packet is...for lack of a better way to describe it...a leftover.

Here's a simple example. I have a stateful filter exception to allow
ICMP
from private interface to public interface. If I try to ping from a
workstation on the private network to a device on the public network,
it
will fail. If I then try pinging another device on the public network,
it
will still fail, however the filter debug appears to indicate that the
rule
that is discarding the new packet is the rule from the previous ping attempt.

As I mentioned earlier, the exceptions will work fine for a few
minutes
after rebooting the server, reloading the NLMs or
changing/adding/deleting a
filter exception via FILTCFG.

Does anyone have any suggestions? Am I reading the filter debug wrong?


Thanks in advance!



--
Chad Neeper
Sr. Systems Engineer
Network Response Group



Details:
BM3.5 on NW5.1SP3 - Patched using Craig's patch list as a guide
FILTSRV.NLM v1.5 - 11-02-1998
IPFLT.NLM v4.60a - 07-17-2002
IPFLT31.NLM v5.3v - 07-17-2002
TCPIP.NLM v5.91o - 10-30-2002

1 - Private interface (10.2.2.1/255.255.255.0)
3 - Public interface (66.213.120.130/255.255.255.224)
4 - DMZ interface (haven't set up exceptions for this yet)
5 - VPN interface (exceptions working fine)

************************************************** ************************

OUTBOUND packet to "Discard"
Protocol Type=(ICMP) Protocol Flag=(NONE)
Source Address=(10.2.2.59) Destination Address=(66.213.120.131)
Source Port=(0) Destination Port=(0)
Source TOS=(Echo Request) Destination TOS=(Echo Request)

Source Interface=(1) Destination Interface=(3)
Source Circuit=(56344) Destination Circuit=(16470)
Source GroupID=(0) Destination GroupID=(0)


Discard filter rule from "Exceptions" list
Filter Protocol Type=(ICMP)
Source Interface Type=(BOARD_NETWORK) Destination Interface
Type=(BOARD)
Source Address=(10.2.2.59) Destination Address=(131.187.254.8)
Source Interface Number=(1) Destination Interface Number=(3)
Source Port Range=(0-0) Destination Port Range=(0-0)
Source TOS=(Echo Request) Destination TOS=(Echo Request)

Source Group Name=(None) Destination Group Name=(None)
Source Group ID=(0) Destination Group ID=(0)
Source Remote System ID=(None) Destination Remote System ID=(None)
Source Circuit=(56344) Destination Circuit=(37388)
************************************************** ************************

Note: Here I did two pings. The first from 10.2.2.59 to 131.187.254.8;

the second ping was to 66.213.120.131. The above debug was from
the
second ping. In the discard filter rule, why does the
Destination
Address indicate the first ping's address?


FILTERS.CFG
<snip>
PACKET-FILTER-LIST IP, ENABLED, DENY
FILTER ENABLED NOLOG, INTRFACE:<Any>, IP:pid=IP, INTRFACE:PUBLIC1,
Added
by BRDCFG to block all IP packets.
EXCLUDE ENABLED NOLOG, INTRFACE:PRIVATE1
IP:10.2.2.0/255.255.255.0,
IP:pid=ICMP stfilt=1, INTRFACE:PUBLIC1, Stateful outgoing ICMP
EXCLUDE ENABLED NOLOG, INTRFACE:PUBLIC1, IP:pid=TCP
port=1024-65535
srcport=80 ackfilt=0 stfilt=0, INTRFACE:PRIVATE1
IP:10.2.2.0/255.255.255.0,
Incoming HTTP
EXCLUDE ENABLED NOLOG, INTRFACE:PUBLIC1 IP:192.88.193.144,
IP:pid=UDP
port=1024-65535 srcport=53 stfilt=0, INTRFACE:PUBLIC1
IP:66.213.120.130,
Allow incoming DNS to BM server
EXCLUDE ENABLED NOLOG, INTRFACE:PUBLIC1 IP:156.63.130.6,
IP:pid=UDP
port=1024-65535 srcport=53 stfilt=0, INTRFACE:PUBLIC1
IP:66.213.120.130,
Allow incoming DNS to BM server
EXCLUDE ENABLED NOLOG, INTRFACE:PUBLIC1 IP:66.213.120.130,
IP:pid=UDP
port=53 srcport=1024-65535 stfilt=0, INTRFACE:PUBLIC1
IP:192.88.193.144,
Allow outgoing DNS from BM server
EXCLUDE ENABLED NOLOG, INTRFACE:PUBLIC1 IP:66.213.120.130,
IP:pid=UDP
port=123 srcport=1024-65535 stfilt=1, INTRFACE:PUBLIC1, Allow stateful

outgoing timesync from BM server
EXCLUDE ENABLED NOLOG, INTRFACE:<Any> IP:10.2.2.0/255.255.255.0, IP:pid=TCP port=43 srcport=1024-65535 ackfilt=0 stfilt=1,
INTRFACE:PUBLIC1,
Allow stateful outgoing WHOIS lookups
EXCLUDE ENABLED NOLOG, INTRFACE:<Any> IP:10.2.2.0/255.255.255.0, IP:pid=TCP port=25 srcport=1024-65535 ackfilt=0 stfilt=1,
INTRFACE:PUBLIC1,
Allow stateful outgoing SMTP mail clients
EXCLUDE ENABLED NOLOG, INTRFACE:PUBLIC1 IP:66.213.120.130,
IP:pid=UDP
port=53 srcport=1024-65535 stfilt=0, INTRFACE:PUBLIC1 IP:156.63.130.6,
Allow
outgoing DNS from BM server
EXCLUDE ENABLED NOLOG, INTRFACE:<Any> IP:10.2.2.0/255.255.255.0, IP:pid=TCP port=110 srcport=1024-65535 ackfilt=0 stfilt=1,
INTRFACE:PUBLIC1,
Allow stateful outbound POP3 mail clients
EXCLUDE ENABLED NOLOG, INTRFACE:<Any> IP:10.2.2.0/255.255.255.0, IP:pid=TCP port=119 srcport=1024-65535 ackfilt=0 stfilt=1,
INTRFACE:PUBLIC1,
Stateful outbound NNTP over TCP
EXCLUDE ENABLED NOLOG, INTRFACE:<Any> IP:10.2.2.0/255.255.255.0, IP:pid=TCP port=443 srcport=1024-65535 ackfilt=0 stfilt=1,
INTRFACE:PUBLIC1,
Stateful outbound SHTTP
EXCLUDE ENABLED NOLOG, INTRFACE:PRIVATE1
IP:10.2.2.0/255.255.255.0,
IP:pid=TCP port=80 srcport=1024-65535 ackfilt=0 stfilt=0,
INTRFACE:PUBLIC1,
Allow outbound HTTP
FILTER ENABLED NOLOG, INTRFACE:PUBLIC1, IP:pid=IP, INTRFACE:<Any>,
Added
by BRDCFG to block all IP packets.
EXCLUDE ENABLED NOLOG, INTRFACE:PUBLIC1 IP:66.213.120.130,
IP:pid=TCP
port=213 srcport=1024-65535 ackfilt=0 stfilt=1, INTRFACE:PUBLIC1
IP:209.248.175.74, Allow outgoing handshaking for server-server VPN
EXCLUDE ENABLED NOLOG, INTRFACE:PUBLIC1 IP:209.248.175.74,
IP:pid=TCP
port=213 srcport=1024-65535 ackfilt=0 stfilt=1, INTRFACE:PUBLIC1
IP:66.213.120.130, Allow incoming handshaking for server-server VPN
EXCLUDE ENABLED NOLOG, INTRFACE:PUBLIC1 IP:209.248.175.74,
IP:pid=UDP
port=2010 srcport=2010 stfilt=0, INTRFACE:PUBLIC1 IP:66.213.120.130, Incoming server-server VPN Keep-Alive packets
EXCLUDE ENABLED NOLOG, INTRFACE:PUBLIC1 IP:66.213.120.130,
IP:pid=UDP
port=2010 srcport=2010 stfilt=0, INTRFACE:PUBLIC1 IP:209.248.175.74, Outgoing server-server VPN Keep-Alive packets
EXCLUDE ENABLED NOLOG, INTRFACE:PUBLIC1 IP:66.213.120.130,
IP:pid=57,
INTRFACE:PUBLIC1 IP:209.248.175.74, Outgoing VPN data
EXCLUDE ENABLED NOLOG, INTRFACE:PUBLIC1 IP:209.248.175.74,
IP:pid=57,
INTRFACE:PUBLIC1 IP:66.213.120.130, Incoming VPN data
<snip>