Packet Filter Troubleshooting and Solutions Guide
================= TABLE OF CONTENTS =================
1. List of IPFLT31 debug commands and examples for troubleshooting Border Manager packet filtering issues
2. Information required by NTS when opening calls with Novell Technical Support
3. IPFLT31 functionality related to filter processing
4. Additional IPFLT31 SET commands
================================== 1. IPFLT31 DISCARD DEBUG COMMANDS ==================================
IPFLT31.NLM ships with various debug commands available to help
customers troubleshoot their own packet filtering problems.
In most cases the problem lies with the fact that an application
protocol is not being allowed through the firewall. The solution
to the problem is to add an exception filter to allow the
specific application traffic through. Such debug commands allow
users to identify the various packet types on the network, and
modify their filters accordingly to pass or block the traffic.
IPFLT31 exports a number of commands, which may be used to help
debug packet filtering issues. These commands can be global i.e.
turn on all debug settings, or individual i.e. turn on only a
few required settings. Globally, the following list of commands
exist
(a) ipflt_debug_help - Display all the available debug commands
coming with ipflt31.nlm. This is useful in that it displays all
the available commands on the system console.
(b) ipflt_debug_on - Enable packet forwarding filter debug. This
option will enable all of the SET commands mentioned below with
the exception of the three "Set Route" commands. It will list
all forwarded and discarded traffic going through the filters.
This command is useful when you have no idea as to what traffic
is being blocked or forwarded. If you are experiencing a problem
with one specific application, the individual commands mentioned
later in the document should be used.
(c) ipflt_debug_off - Disable all filter debug. This option will
disable each and every one of the SET commands mentioned below.
Using the "Set Filter Debug = off" at the server console has the
same effect.
(d) ipflt_route_debug - Enable routing filter debug. This
option will enable the three "Set Route" commands mentioned
below. This command should only be used when customers suspect
that the routes the system knows about are not being advertised.
It is also possible to set individual filters on to troubleshoot
filter problems at specific levels. Below is a list of
individual set commands (see list (i) to (xiv)), and examples of
how they may be used to troubleshoot problems. NOTE that the
"Set Filter Debug=on" must first be set at the server console for
any of these individual SET commands to have an effect.
When the SET commands are enabled, the system console will
display the state of the packet as seen by the IPFLT31 module
i.e. it will display a message indicating that the packet has
been 'discarded' by the filter if the discard SET command is
enabled, or 'forwarded' by the filter if the forward SET command is
enabled. To see both discarded and forwarded packets for a
specific protocol, both SET commands for that protocol must be
enabled.
(i) Set IP Discard Filter Debug=1/0
This command starts or stops the IP Packet Discarding Filter
Debug. Any discarded IP packet that is processed by the
filtering module (IPFLT) will be displayed on the screen.
The advantage of using this debug is that customers can view all
IP traffic being discarded by the filters, as opposed to just
TCP or UDP discards. The downside however is that we capture
much more data with this filter and need to trace through more
data. If customers believe that IGMP (active if PIM is enabled)
packets are being incorrectly dropped or allowed through, then
setting this parameter ON for troubleshooting makes sense.
(ii) Set IP Forward Filter Debug=1/0
This command starts or stops the IP Packet Forwarding (as opposed
to discarded packets addressed by (i) above) Filter Debug. Any
Forwarded IP packet that is processed by the IPFLT31.NLM will be
displayed on the screen.
The advantage of using this debug switch is that you can verify
that packets configured to be allowed through, are indeed so.
(iii) Set TCP Forward Filter Debug=1/0
This command Starts or Stops TCP Packet Forwarding Filter Debug.
When enabled, all forwarded TCP packets will be written to the
system console.
This option should be used in cases where SMTP, POP3, FTP, HTTP,
TELNET or other TCP based applications fail to work correctly
with the filters enabled. Once enabled, verify that you can see
the forwarded TCP packets at the system console.
(iv) Set TCP Discard Filter Debug=1/0
This command Starts or Stops TCP Packet Discarding Filter Debug.
When enabled, all discarded TCP packets will be written to the
system console.
This option should be used in cases where SMTP, POP3, FTP, HTTP,
TELNET or other TCP based applications fail to work correctly
with the filters enabled. If the packets should be allowed
through and yet you see your TCP packets being discarded,
add exception filters to allow the blocked traffic through.
Looking at an example where we used this set command. A TELNET
server is running on the Border Manager server 130.57.61.56. The
default Border Manager filters are in place. The problem is that
Telnet clients complain that they cannot telnet to the
server. The fact that TELNET, a TCP based application, is the
only application that seems to generate support calls, we decide
to enable the TCP discard debug commands. Doing this gave us the
following output.
SJF-ENG-PADDY5:set tcp discard filter debug=1 TCP Discard
Filter Debug set to
1 ****************************************************************************** OUTBOUND
packet to "Discard" Protocol Type=(TCP)
Protocol
Flag=(SYN) Source Address=(130.57.61.137) Destination
Address=(130.57.61.56) Source Port=(1123)
Destination
Port=(23) Source TOS=( Dynamic)
Destination
TOS=(Telnet) Source Interface=(1)
Destination
Interface=(1) Source Circuit=(42553)
Destination
Circuit=(0) Source GroupID=(0)
Destination
GroupID=(0)
Discard filter rule from "Exceptions" list Filter Protocol
Type=(IP) Source Interface Type=(BOARD) Destination
Interface Type=(Any) Source Address=(Any Address)
Destination Address=(Any Address) Source
Interface Number=(1) Destination Interface
Number=(0) Source Port Range=(0-0)
Destination Port
Range=(0-0) Source TOS=(Reserved)
Destination
TOS=(Reserved) Source Group Name=(None)
Destination Group
Name=(None) Source Group ID=(0)
Destination
Group ID=(0) Source Remote System ID=(None) Destination
Remote System ID=(None) Source Circuit=(0)
Destination
Circuit=(0)
From this debug output, we can see that the TCP SYN requests from
the client (130.57.61.137) are getting discarded and never reach
the server. To get around the problem, we needed to add an
exception filter to allow Telnet packets through. The exception
rule was as follows:
Source interface = private interface of BM server where client is
located Public interface = public interface of BM server
Packet type = Telnet (protocol TCP, destination port
23) Source address and destination addresses were left at
<any> although customers can enhance security by putting
in IP addresses of Telnet servers made accessible to clients.
(v) Set UDP Forward Filter Debug=1/0
This command Starts or Stops UDP Packet Forwarding Filter Debug.
When enabled, all forwarded UDP packets will be written to the
system console.
This option should be used in cases where DNS, SNMP, NFS, SLP or
other UDP based applications fail to work correctly with the
filters enabled. Once enabled, verify that you can see the
forwarded UDP packets at the system console.
(vi) Set UDP Discard Filter Debug=1/0
This command Starts or Stops UDP Packet Discarding Filter Debug.
When enabled, all discarded UDP packets will be written to the
system console.
This option should be used in cases where DNS, SNMP, NFS, SLP or
other UDP based applications fail to work correctly with the
filters enabled. Once enabled, verify that you can see the
forwarded UDP packets at the system console. If the packets
should be allowed through and yet you see your UDP packets being
discarded, add exception filters to allow the blocked traffic
through.
An example where this SET command would be useful would be
troubleshooting the following SNMP (UDP based application)
problem. The customer is running TCPCON to try and query SNMP
statistics on another local server. When he runs TCPCON on his
box (130.57.61.56) and points the "SNMP Access Configuration" to
130.57.62.2, he gets "Request Timed Out" messages. By setting
the "Set UDP Discard Filter Debug=1", we were able to see the
following at the server console.
All allow rules from the exception list were initially parsed but
no specific entry existed that would allow the SNMP protocol. As
a result, we would hit the main rule that blocks everything not
in the exception list. To overcome this problem, simply add an
exception to allow SNMP packets out.
****************************************************************************** OUTBOUND
packet to "Discard" Protocol Type=(UDP)
Protocol
Flag=(NONE) Source Address=(130.57.61.56) Destination
Address=(130.57.62.2) Source Port=(1030)
Destination
Port=(161) Source TOS=(Dynamic)
Destination
TOS=(SNMP) Source Interface=(1)
Destination
Interface=(1) Source Circuit=(32847)
Destination
Circuit=(32847) Source GroupID=(0)
Destination
GroupID=(0)
Discard filter rule from "Exceptions" list Filter Protocol
Type=(IP) Source Interface Type=(BOARD) Destination
Interface Type=(Any) Source Address=(Any Address)
Destination Address=(Any Address) Source
Interface Number=(1) Destination Interface
Number=(0) Source Port Range=(0-0)
Destination Port
Range=(0-0) Source TOS=(Reserved)
Destination
TOS=(Reserved) Source Group Name=(None)
Destination Group
Name=(None) Source Group ID=(0)
Destination
Group ID=(0) Source Remote System ID=(None) Destination
Remote System ID=(None) Source Circuit=(0)
Destination
Circuit=(0) ******************************************************************************
(vii) Set ICMP Forward Filter Debug=1/0
This command Starts or Stops ICMP Packet Forwarding Filter Debug.
When enabled, all forwarded ICMP packets will be written to the
system console.
This option should be used in cases where users cannot PING, or
receive ICMP route updates with the filters enabled. Once
enabled, verify that you can see the forwarded ICMP packets at
the system console.
(viii) Set ICMP Discard Filter Debug=1/0
This command Starts or Stops ICMP Packet Discarding Filter Debug.
When enabled, all discarded ICMP packets will be written to the
system console.
This option should be used in cases where users cannot PING, or
receive ICMP route updates with the filters enabled. Once
enabled, verify that you can see the discarded ICMP packets at
the system console.
Below is an example from a Server where ICMP is being blocked. By
enabling the ICMP Discard Filter Debug switch, we were able to
see that 1) the ICMP packet was indeed discarded and; 2) the
configured rule that resulted in the ICMP packet being discarded
(Discard filter rule from "Exceptions" list)
SJF-ENG-PADDY5:set icmp discard filter debug=1 ICMP Discard
Filter Debug set to 1 SJF-ENG-PADDY5:ping 130.57.4.1 Loading
module PING.NLM TCPIP Ping Utility
NW5SP3.250699 Version 4.23 June 25,
1999 Copyright 1994-1999 Novell, Inc. All
rights
reserved. *********************************************************************** OUTBOUND
packet to "Discard" Protocol Type=(ICMP)
Protocol
Flag=(NONE) Source Address=(130.57.62.38) Destination
Address=(130.57.4.1) Source Port=(0)
Destination
Port=(0) Source TOS=(70)
Destination
TOS=(70) Source Interface=(1)
Destination
Interface=(1) Source Circuit=(56955)
Destination
Circuit=(56955) Source GroupID=(0)
Destination
GroupID=(0)
Discard filter rule from "Exceptions" list Filter Protocol
Type=(IP) Source Interface Type=(BOARD) Destination
Interface Type=(Any) Source Address=(Any Address)
Destination Address=(Any Address) Source
Interface Number=(1) Destination Interface
Number=(0) Source Port Range=(0-0)
Destination Port
Range=(0-0) Source TOS=(Reserved)
Destination
TOS=(Reserved) Source Group Name=(None)
Destination Group
Name=(None) Source Group ID=(0)
Destination
Group ID=(0) Source Remote System ID=(None) Destination
Remote System ID=(None) Source Circuit=(0)
Destination
Circuit=(0) ***********************************************************************
(ix) Set SKIP Forward Filter Debug=1/0
This command Starts or Stops SKIP Packet Forwarding Filter Debug.
When enabled, all forwarded SKIP packets will be written to the
system console. NOTE that SKIP is the communication protocol
used between VPN hosts.
This option should be used in cases where users cannot
communicate with remote services through a VPTUNNEL with the
filters enabled. Once enabled, verify that you can see the
forwarded SKIP packets at the system console.
(x) Set SKIP Discard Filter Debug=1/0
This command Starts or Stops SKIP Packet Discarding Filter Debug.
When enabled, all discarded SKIP packets will be written to the
system console. NOTE that SKIP is the communication protocol
used between VPN hosts.
This option should be used in cases where users cannot
communicate with remote services through a VPTUNNEL with the
filters enabled. Once enabled, verify that you can see the
forwarded SKIP packets at the system console. If the packets
should be allowed through and yet you see your SKIP packets
being discarded, add exception filters to allow the blocked
traffic through (or in the case of the SKIP traffic, simply
rerun the default filters through BRDCFG).
(xi) Set Others Forward Filter Debug=1/0
This command Starts or Stops Others Packet Forwarding Filter
Debug This is the default scenario when a packet that does not
have an IP, UDP, TCP, SKIP or ICMP packet type is processed by
the filtering modules. NOTE that this will rarely happen unless
customers are running packet types not defined above such as
GRE, OSPF for example.
(xii) Set Others Discard Filter Debug=1/0
This command Start or Stop Others Packet Forwarding Filter
Debug This is the default scenario when a packet that does not
have an IP, UDP, TCP, SKIP or ICMP packet type is processed by
the filtering modules. NOTE that this will rarely happen unless
customers are running packet types not defined above such as
GRE, OSPF for example.
(xiii) Set Route Filter Debug=1/0
This command Starts or Stops the Route Filter Debug. Enabling
this SET command dumps some useful information to the system
console indicating whether specific routes currently existing in
the routing table will get advertised or not within RIP, OSPF
external route, or EGP packets, as well as some information about
those routes.
(xiv) Set Route Allow Filter Debug=1/0
This command Starts or Stops Route Allow Filter Debug. With this
filter enabled, routes that are allowed in the RIP, OSPF
external route or EGP packets are displayed at the server
console. If customers believe that the routes being advertised
via RIP, OSPF or EGP are missing information, they may be able to
use this SET command to verify that the route is indeed there.
(xv) Set Route Deny Filter Debug=1/0
This command Starts or Stops Route Deny Filter Debug. With this
filter enabled, routes that are not allowed in the RIP, OSPF
external route or EGP packets are displayed at the server
console. If customers believe that the routes being advertised
via RIP, OSPF or EGP are missing information, they may be able to
use this SET command to verify that the route is being blocked.
An example of where this may help would be the following case
with the default filters in place. My server has one LAN card
(130.57.61.56). With RIP enabled and the split horizon algorithm
running (default scenario), my server will not advertise the
130.57.60.0/255.255.252.0 network back out onto the LAN. This
works as defined by the specifications, and prevents routing
loops. The output at the system console would show:- Route to
deny... Routing protocol of peer is RIP Rip peer
address=130.57.60.0
============================================================= 2.
Information required by NTS when opening support
incidents =============================================================
NOTE that sample filters for the most common setups (HTTP, DNS,
SMTP, POP3) exist in the documentation - please reference this
material before escalating calls to Novell NTS. The
documentation is also available on-line from
http://www.novell.com/documentation/lg/bmee3.5/docui/index.html.
In order to quickly provide customers with solutions to their
filtering problems, all open incidents should include the
following information:-
1. Network layout - this should include all IP addresses of
services that the customer is trying to access, as well as the
IP addresses configured on the Border Manager server
2. Description of problem - A clear explanation of what services
are failing when the packet filters are running e.g. I cannot
access my SMTP mail through the packet filtering firewall.
3. Console.log file showing the output of the debug commands
mentioned above. NOTE that conlog.nlm logs 100kB of information
by default. Should your system be processing a lot of IP traffic,
it is recommended that the log file be increased to 1MB by
loading conlog.nlm with the paremeter 'maximum=1000'.
* If you are unsure about what protocols your applications may be
using, the output of the "ipflt_debug_on" system console command
will indicate what packets are being allowed and discarded by
the filters.
* If you know exactly what protocol your failing application is
using, the individual set commands should be set e.g. if FTP is
failing, set the "Set TCP Discard Filter Debug=1" and "Set TCP
Forward Filter Debug=1". NOTE that there may be other protocols
influencing the applications functionality such as DNS.
======================================== 3. Order filters
actually get processed ========================================
IP Packet filtering calls take place within TCPIP.NLM under three
separate scenario's:
a) When an incoming packet is processed and the final destination
is our local IP address b) When an incoming packet is
processed and the final destination is not our local address
i.e. the packet needs to be routed by our stack and; c) When an
outgoing packet is being transmitted and our local IP address is the
source IP address
In each of the above cases, control is temporarily passed to the
IPFLT31 module to verify whether the incoming, outgoing or
forwarded packet must be allowed through, or discarded. The
IPFLT31 modules sole job is to communicate to TCPIP.NLM that the
packet should be allowed or discarded. TCPIP in turn proceeds
with it's transmit, receive or forward routines if an allow is
returned by IPFLT31, or drops the packet if the deny was
returned.
IPFLT31.NLM's processing goes as follows:-
1. Check if the "SET Filter Local Loopback Packets" command is
enabled. As NetWare 5 is running on top of TCPIP, all local
loopback traffic must be allowed (return allow to TCPIP) even if
there exists a deny ALL filter so that local service or
application can still function normally. Forward only locally
generated packets or loopback IP addresses. NOTE that source and
destination IP address are always the same.
2. Check if the " SET Filter Packets With IP Header Options " is
enabled and if so, drop all packets contain "options" in IP
header by returning a discard to TCPIP.
3. Check for fragmentation attacks where the fragmentation fields
are enabled (fragmentation offset not equal to zero, or the more
fragments flag set in the IP header) and TCPs SYN/FIN/RST are
also enabled. If this is the case, return a discard to TCPIP.
4. Check for illegal source IP addresses and return discard if
found. Examples include 255.255.255.255, xxx.255.255.255,
xxx.xxx.255.255, xxx.xxx.xxx.255, xxx.xxx.xxx.0, multicast. NOTE
that it's ok to drop destination IP address of 0.0.0.0 but do
not drop source of 0.0.0.0 (DHCP client). Some implementations of
TCP/IP are vulnerable to packets that are crafted in a
particular way (a SYN packet in which the source address and
port are the same as the destination i.e. the LAND attack). In
order to defend against LAND attack, we must drop all SYN
packets in which both the source IP and port are the same as the
destination i.e. spoofed. UDP can also be used to similar attack
TCPIP stacks. NOTE that Novell's TCPIP stack does not suffer
from this land attack.
5. Check if the "SET Filter Subnet Broadcast Packets" parameter
is enabled and if so, drop all IP forwarding broadcast address
with the xxx.xxx.xxx.255 or xxx.xxx.xxx.0.
6. Check if anyone is trying to spoof our local source IP
address. This is done by first verifying if we're in forwarding
or Local delivery mode (not transmit) and secondly, if the
source IP address belongs to this router but the packet
originated from external source (spoof). If this is the case,
drop it.
7. Check if we're being 'smurf' attacked. The smurf attack relies
on the router serving a large multi-access broadcast network to
frame an IP broadcast address (such as 10.255.255.255) into a
layer 2 broadcast frame (for Ethernet, FF:FF:FF:FF:FF:FF).
Generally, with IP providers and IP applications as we know them
today, this behavior should not be needed. It is recommended that
directed-broadcasts be turned off via TCPCON, to suppress the
effects of this attack. This is off by default.
8. Search the filter cache or filter database to see if the
packet we're processing has a specific rule that could be
applied to it. NOTE that at this stage, we have all the details
about the packet (ip addresses, interface information, protocol,
port numbers, etc) from TCPIP and we know the corresponding
information from the configured filters. The filters are processed
in the following order to check for hits:
a) Check the exception filter list to see whether a rule exists
that matches our IP packet. If the default action is to DENY
packets in the filter list, the exception list lists packets
that should be allowed. If we get a hit here, send an allow
message to TCPIP so that the stack continues processing the packet.
If the default action is to ALLOW packets in the filter list,
send a deny message to TCPIP so that it will drop the packet.
b) Assuming that the exception rule failed to provide a hit, the
filters are then processed in sequence for a hit. If no filters
match the packet being processed, we check for the default
ACTION specified.
c) If the default ACTION specified is to PERMIT packets not in
filter list, then an allow will be sent back to TCPIP to
continue processing the packet. If on the other hand the default
action is to DENY packets not in filter list, the deny message
will be sent back to TCPIP so that it drops the packet.
NOTE: If a match exists, and the default policy is to permit
packets in the filter list, we check to see if stateful
filtering is enabled.
* If it is, we create a reverse filter and return allow to TCPIP
* If it isn't return a discard message for TCPIP to drop the
packet
======================================== 4. Other IPFLT31
available SET Commands ========================================
The following SET commands may be used to change the behaviour of
the filters. It is NOT recommended that these commands be
changed from their default as they may have a negative impact on
performance and application functionality is used incorrectly.
1. SET Filter Subnet Broadcast Packets - When this command is set
to ON, the filter modules will defend private hosts against
destination IP broadcast address attack through discards.
(Settable only in AUTOEXEC.NCF) Default Setting: ON
2. Filter Local Loopback Packets - When this command is set to
ON, local loopback packet will be subjected to filtering. Set it
OFF to enhance server performance by bypassing filter
inspection. NOTE that some applications e.g. GroupWise, make use
of the loopback interface, in which case they will fail when set
to OFF. (Settable only in AUTOEXEC.NCF) Default Setting: ON
3. Shutdown Public Interface On Log Failure - When this command
is set to ON, IPFLT31 will deny IP traffic to/from public
interface when logging fails. Set it to OFF to ignore logging
failure and continue to permit predefined IP traffic to/from
public interface. (Settable only in AUTOEXEC.NCF) Default Setting:
ON
4. Filter Packets With IP Header Options - When this command is
set to ON, IPFLT will deny all IP packets with IP header option.
(Settable only in AUTOEXEC.NCF) Default Setting: ON
5. Filter Log Packets Without Matching Rule - When this command
is set to ON IPFLT will log all TCP/IP packets without matching
filter rules. (Settable only in AUTOEXEC.NCF) Default Setting:
OFF. |