测试山石防火墙 接口中 逆向路由 设置与urpf是否有关
对于山石防火墙接口上的 "逆向路由"设置一直不理解.
问了几次,专业回复都说是 这是"会话保持"功能. 与"urpf"功能无关.
个人总是感觉有些怀疑.今天我来用虚拟机测试一下.
防火墙使用的是
SG6000-CloudEdge-5.5R4P21-VM01.qcow2
- 所有测试只判断去向数据包的处理结果.
如果被drop就说明不转发.
如果建立了session就说它是转发.
没有讨论反向回来数据的转发情况.
设备连接结构
(192.168.200.2/24 linux pc 192.168.1.254/24) - (192.168.1.1/24 Hillstone FW 192.168.2.1/24)-虚拟机网卡up但没连接任何设备.
linux pc 设置路由. 到192.168.2.8经过 192.168.1.1
#ip route show
192.168.2.0/24 via 192.168.1.1 dev tap1a
pc执行的测试命令为. 发个tcp dstip 192.168.2.8 dport 23 srcip 192.168.200.2
#hping3 --scan 23 -S 192.168.2.8 -a 192.168.200.2
防火墙设置.
interface ethernet0/0 local
zone “trust”
ip address 192.168.1.1 255.255.255.0
manage ssh
manage ping
manage snmp
manage https
exit
interface ethernet0/1
zone “trust”
ip address 192.168.2.1 255.255.255.0
manage ssh
manage ping
manage https
exit
rule id 1
action permit
src-zone “Any”
dst-zone “Any”
src-addr “Any”
dst-addr “Any”
service “Any”
name “any”
exit
C>* 192.168.1.0/24 is directly connected, ethernet0/0
H>* 192.168.1.1/32 [0/0/1] is local address, ethernet0/0
C>* 192.168.2.0/24 is directly connected, ethernet0/1
H>* 192.168.2.1/32 [0/0/1] is local address, ethernet0/1
测试1
源目标接口在相同安全域下(trust). 接口开启"逆向路由"设置时debug
结论: 路由表中无源ip的路由信息. 开启"逆向路由"设置. 不转发.
SG-6000(config)# show logging debug
2020-11-03 09:21:50, DEBUG@FLOW: core 1 (sys up 0x2c5073 ms): rx_handle_prepare: 529d.0f82.509d->5254.0001.0a01, size 54, type 0x800, vid 0, port ethernet0/0
dp_prepare_if_for_pak
Switchid is 30(interface ethernet0/0) port ethernet0/0 ,pak iif=ethernet0/0
Not from apm packet, return.
Not ha apm heart beat message.
rx_handle_prepare i_if is ethernet0/0
Start l3 forward
Packet: 192.168.200.2 -> 192.168.2.8, id: 24162, ip size 40, prot: 6(TCP): 1805 -> 23
ad_vector_for_fast_flow: zonename trust, proto_flag[1] 0, proto 6
dp_prepare_pak_lookup srcip: 192.168.200.2, dstip: 192.168.2.8, src-port:1805, dst-port:23, prot 6
No session found, try to create session
dp_first_crt_sess_init_flow0_from_pak_iif: set cpuid 0
-----------------First path creating new session-----------------
dp_sess_sm_transtion: Do session state machine transtion, id 293, state: 0, event: 0!
allocate pending session and install flow0
begin lookup predefine prot:6 port:23
Identified as app TELNET (prot=6). timeout 1800.
--------VR:trust-vr start--------
192.168.200.2:1805->192.168.2.8:23
No BNAT configured for this VR
No DNAT and DNS-rewrite configured for this VR
Get nexthop if_id: 31, flags: 0, nexthop: 192.168.2.8
Connection route.
Failed to get route to 192.168.200.2
The reverse route is invalid for force revs-route setting, drop the packet
Dropped: No reverse route, drop the packet
dp_sess_sm_transtion: Do session state machine transtion, id 293, state: 1, event: 4!
deny session:flow0 src 192.168.200.2 --> dst 192.168.2.8 Deny session installed successfully
--------VR:trust-vr end--------
-----------------------First path over (session not created)
Droppped: failed to create session, drop the packet (action=0)
====================
测试2
源目标接口在相同安全域下(trust). 接口关闭"逆向路由"设置时的debug
结论: 无源ip路由信息时. 关闭逆向路由. 防火墙对数据包进行转发.
SG-6000(config)# show logging debug
2020-11-03 09:41:00, DEBUG@FLOW: core 1 (sys up 0x3dd9e2 ms): rx_handle_prepare: 529d.0f82.509d->5254.0001.0a01, size 54, type 0x800, vid 0, port ethernet0/0
dp_prepare_if_for_pak
Switchid is 30(interface ethernet0/0) port ethernet0/0 ,pak iif=ethernet0/0
Not from apm packet, return.
Not ha apm heart beat message.
rx_handle_prepare i_if is ethernet0/0
Start l3 forward
Packet: 192.168.200.2 -> 192.168.2.8, id: 20171, ip size 40, prot: 6(TCP): 1048 -> 23
ad_vector_for_fast_flow: zonename trust, proto_flag[1] 0, proto 6
dp_prepare_pak_lookup srcip: 192.168.200.2, dstip: 192.168.2.8, src-port:1048, dst-port:23, prot 6
No session found, try to create session
dp_first_crt_sess_init_flow0_from_pak_iif: set cpuid 0
-----------------First path creating new session-----------------
dp_sess_sm_transtion: Do session state machine transtion, id 290, state: 0, event: 0!
allocate pending session and install flow0
begin lookup predefine prot:6 port:23
Identified as app TELNET (prot=6). timeout 1800.
--------VR:trust-vr start--------
192.168.200.2:1048->192.168.2.8:23
No BNAT configured for this VR
No DNAT and DNS-rewrite configured for this VR
Get nexthop if_id: 31, flags: 0, nexthop: 192.168.2.8
Connection route.
--------VR:trust-vr end--------
Start policy lookup.
Pak src zone trust, dst zone trust, prot 6, dst-port 23.
Policy 1 matches, =PERMIT=
crt_sess->flow0_io_cpuid 0
flow0 src 192.168.200.2 --> dst 192.168.2.8 with nexthop 192.168.2.8 ifindex 31
flow1 src 192.168.2.8 --> dst 192.168.200.2 nexthop not lookup or invalid
flow0’s next hop: 0.0.0.0 flow1’s next hop: 192.168.2.8
crt_sess->revs_rres.gw: 0.0.0.0, crt_sess->forw_rres.gw 192.168.2.8
Calculate flow1 hash, srcip: 192.168.2.8, dstip: 192.168.200.2, lports: 170418, prot: 6, token: 1
in flow_first profile_merge
------sess:290,app :5 init in first proc
Application 5 hasn’t been registered, don’t need do ALG
APP inited for application TELNET
crt_sess policy_flag is 0000, session flag1 is 100000
TELNET: create session: atomic bit 0
session: id 290, prot 6, flag0 0,flag1 100000, created 4053, life 1800
flow0(if id: 30 flow id: 580 flag: 40200810):192.168.200.2:1048
->192.168.2.8:23
flow1(if id: 31 flow id: 581 flag: 0): 192.168.2.8:23
->192.168.200.2:1048
dp_sess_sm_transtion: Do session state machine transtion, id 290, state: 1, event: 3!
The following session is installed
session: id 290, prot 6, flag0 0,flag1 100000, created 4053, life 1800
flow0(if id: 30 flow id: 580 flag: 40200810):192.168.200.2:1048
->192.168.2.8:23
flow1(if id: 31 flow id: 581 flag: 800): 192.168.2.8:23
->192.168.200.2:1048
Session installed successfully
S>* 0.0.0.0/0 [1/0/1] via 192.168.2.8, ethernet0/1
测试3
源目标接口在相同安全域下(trust).
防火墙增加一条默认网关. 相当于把原ip设置了一条路由信息. 但与来的方向不符.
开启逆向路由
这里省略debug信息输出.
Connection route.
Found the reverse route for force or prefer revs-route setting
结论是有srcip的路由.就转发. 这条路由是default gateway设置的.
测试4
源目标接口在相同安全域下(trust).
没有做其他更改.
将防火墙接口的 逆向路由设置为 自动
结论是有srcip的路由.就转发. 这条路由是default gateway设置的.
================
以下测试入,出接口不在相同安全域的情况.
测试5
源目标接口在不同安全域下(untrust -> trust).
默认路由包含src-ip
开启 逆向路由 开关
防火墙不转发数据,看提示还建立了deny session. 看起来和紧的urpf又比较像了.
SG-6000DBG# show logging debug
2020-11-03 10:22:02, DEBUG@FLOW: core 1 (sys up 0x44297 ms): rx_handle_prepare: b2f8.02da.0ca4->5254.0001.0a01, size 54, type 0x800, vid 0, port ethernet0/0
dp_prepare_if_for_pak
Switchid is 30(interface ethernet0/0) port ethernet0/0 ,pak iif=ethernet0/0
Not from apm packet, return.
Not ha apm heart beat message.
rx_handle_prepare i_if is ethernet0/0
Start l3 forward
Packet: 192.168.200.2 -> 192.168.2.8, id: 5649, ip size 40, prot: 6(TCP): 2537 -> 23
ad_vector_for_fast_flow: zonename untrust, proto_flag[1] 7, proto 6
dp_prepare_pak_lookup srcip: 192.168.200.2, dstip: 192.168.2.8, src-port:2537, dst-port:23, prot 6
No session found, try to create session
dp_first_crt_sess_init_flow0_from_pak_iif: set cpuid 0
-----------------First path creating new session-----------------
dp_sess_sm_transtion: Do session state machine transtion, id 15, state: 0, event: 0!
allocate pending session and install flow0
begin lookup predefine prot:6 port:23
Identified as app TELNET (prot=6). timeout 1800.
--------VR:trust-vr start--------
192.168.200.2:2537->192.168.2.8:23
No BNAT configured for this VR
No DNAT and DNS-rewrite configured for this VR
Get nexthop if_id: 31, flags: 0, nexthop: 192.168.2.8
Connection route.
Dropped: Address spoof detected!!
Dropped: No reverse route, drop the packet
dp_sess_sm_transtion: Do session state machine transtion, id 15, state: 1, event: 4!
deny session:flow0 src 192.168.200.2 --> dst 192.168.2.8 Deny session installed successfully
--------VR:trust-vr end--------
-----------------------First path over (session not created)
Droppped: failed to create session, drop the packet (action=0)
测试6
源目标接口在不同安全域下(untrust -> trust).
默认路由包含src-ip
关闭 逆向路由 开关
防火墙进行转发了.
SG-6000DBG# show logging debug
2020-11-03 10:31:22, DEBUG@FLOW: core 1 (sys up 0xccc0b ms): rx_handle_prepare: b2f8.02da.0ca4->5254.0001.0a01, size 54, type 0x800, vid 0, port ethernet0/0
dp_prepare_if_for_pak
Switchid is 30(interface ethernet0/0) port ethernet0/0 ,pak iif=ethernet0/0
Not from apm packet, return.
Not ha apm heart beat message.
rx_handle_prepare i_if is ethernet0/0
Start l3 forward
Packet: 192.168.200.2 -> 192.168.2.8, id: 1591, ip size 40, prot: 6(TCP): 2301 -> 23
ad_vector_for_fast_flow: zonename untrust, proto_flag[1] 7, proto 6
dp_prepare_pak_lookup srcip: 192.168.200.2, dstip: 192.168.2.8, src-port:2301, dst-port:23, prot 6
No session found, try to create session
dp_first_crt_sess_init_flow0_from_pak_iif: set cpuid 0
-----------------First path creating new session-----------------
dp_sess_sm_transtion: Do session state machine transtion, id 8, state: 0, event: 0!
allocate pending session and install flow0
begin lookup predefine prot:6 port:23
Identified as app TELNET (prot=6). timeout 1800.
--------VR:trust-vr start--------
192.168.200.2:2301->192.168.2.8:23
No BNAT configured for this VR
No DNAT and DNS-rewrite configured for this VR
Get nexthop if_id: 31, flags: 0, nexthop: 192.168.2.8
Connection route.
--------VR:trust-vr end--------
Start policy lookup.
Pak src zone untrust, dst zone trust, prot 6, dst-port 23.
Policy 1 matches, =PERMIT=
crt_sess->flow0_io_cpuid 0
flow0 src 192.168.200.2 --> dst 192.168.2.8 with nexthop 192.168.2.8 ifindex 31
flow1 src 192.168.2.8 --> dst 192.168.200.2 nexthop not lookup or invalid
flow0’s next hop: 0.0.0.0 flow1’s next hop: 192.168.2.8
crt_sess->revs_rres.gw: 0.0.0.0, crt_sess->forw_rres.gw 192.168.2.8
Calculate flow1 hash, srcip: 192.168.2.8, dstip: 192.168.200.2, lports: 1708fd, prot: 6, token: 1
in flow_first profile_merge
------sess:8,app :5 init in first proc
Application 5 hasn’t been registered, don’t need do ALG
APP inited for application TELNET
crt_sess policy_flag is 0000, session flag1 is 100000
TELNET: create session: atomic bit 0
session: id 8, prot 6, flag0 0,flag1 100000, created 838, life 1800
flow0(if id: 30 flow id: 16 flag: 200810):192.168.200.2:2301
->192.168.2.8:23
flow1(if id: 31 flow id: 17 flag: 40000000): 192.168.2.8:23
->192.168.200.2:2301
dp_sess_sm_transtion: Do session state machine transtion, id 8, state: 1, event: 3!
The following session is installed
session: id 8, prot 6, flag0 0,flag1 100000, created 838, life 1800
flow0(if id: 30 flow id: 16 flag: 200810):192.168.200.2:2301
->192.168.2.8:23
flow1(if id: 31 flow id: 17 flag: 40000800): 192.168.2.8:23
->192.168.200.2:2301
Session installed successfully
测试7
源目标接口在不同安全域下(untrust -> trust).
默认路由包含src-ip
逆向路由 开关 设置为 自动.
防火墙不转发. 与 开启时相同.
===============
手册中查到的信息是这样的.
配置接口逆向路由功能
逆向路由功能是指用于转发反向数据的路由。反向是相对于初始化数据流方向。逆向路由功能仅适
用于三层接口。在接口配置模式下,使用以下命令完成逆向路由功能的配置:
reverse-route [ force | prefer ]
force – 强制逆向路由。如果能找到逆向路由则使用逆向路由转发反向数据;如果找不到
逆向路由则丢弃数据包。默认情况下,三层接口强制逆向路由。
prefer – 优先逆向路由。如果能找到逆向路由则使用逆向路由转发反向数据;如果找不
到逆向路由则按原路径返回(即从当前接口转发出去)。
在接口配置模式下,使用 no reverse-route 命令取消逆向路由的使用。不使用逆向路由时,所
有反向数据原路返回,不进行逆向路由检查。
注意: 如果找到的逆向路由出接口和原入接口不在同一个安全域,设备仍会丢弃数
据包。
===================
测试到这儿
结论:
如果讨论"逆向路由"设置是否与urpf功能有关. 答案是有关系.
源目标接口在相同安全域下(trust).
当路由表中不包括srcip. and 接口开启了"逆向路由"设置时.
这样的数据包会被直接drop.
当关闭"逆向路由". or 选择为自动. or 防火墙的路由信息包括了srcip 时. 防火墙会建立session.
原目标接口不同相同安域下(untrust -> trust) 或者说src-ip来原与路由指向的安全域不符.时.
(这里没有测试不包含路由的情况)
关闭"逆向路由" 数据包会转发.
将 “逆向路由” 设置为 开 或 自动. 不转发数据包.
会话保持部分没有测试. 其实这部分我也不清楚.
urpf 也应该包括这几个模式. 严格urpf,松散urpf和忽略缺省路由的urpf.
如果安全域相同. 山石在"逆向路由" 开关上控制 的也许是 “松散urpf”
如果安全域不同. “逆向路由” 控制的是 “紧urpf” 和 关闭 两种状态.