測驗山石防火墻介面中逆向路由設定與urpf是否有關-有解無憂

測驗山石防火墻介面中逆向路由設定與urpf是否有關

對于山石防火墻介面上的 "逆向路由"設定一直不理解.
問了幾次,專業回復都說是這是"會話保持"功能. 與"urpf"功能無關.
個人總是感覺有些懷疑.今天我來用虛擬機測驗一下.

防火墻使用的是
SG6000-CloudEdge-5.5R4P21-VM01.qcow2

所有測驗只判斷去向資料包的處理結果.
如果被drop就說明不轉發.
如果建立了session就說它是轉發.
沒有討論反向回來資料的轉發情況.

設備連接結構
(192.168.200.2/24 linux pc 192.168.1.254/24) - (192.168.1.1/24 Hillstone FW 192.168.2.1/24)-虛擬機網卡up但沒連接任何設備.

linux pc 設定路由. 到192.168.2.8經過 192.168.1.1

#ip route show
192.168.2.0/24 via 192.168.1.1 dev tap1a

pc執行的測驗命令為. 發個tcp dstip 192.168.2.8 dport 23 srcip 192.168.200.2
#hping3 --scan 23 -S 192.168.2.8 -a 192.168.200.2

防火墻設定.
interface ethernet0/0 local
zone “trust”
ip address 192.168.1.1 255.255.255.0
manage ssh
manage ping
manage snmp
manage https
exit
interface ethernet0/1
zone “trust”
ip address 192.168.2.1 255.255.255.0
manage ssh
manage ping
manage https
exit

rule id 1
action permit
src-zone “Any”
dst-zone “Any”
src-addr “Any”
dst-addr “Any”
service “Any”
name “any”
exit

C>* 192.168.1.0/24 is directly connected, ethernet0/0
H>* 192.168.1.1/32 [0/0/1] is local address, ethernet0/0
C>* 192.168.2.0/24 is directly connected, ethernet0/1
H>* 192.168.2.1/32 [0/0/1] is local address, ethernet0/1

測驗1
源目標介面在相同安全域下(trust). 介面開啟"逆向路由"設定時debug

結論: 路由表中無源ip的路由資訊. 開啟"逆向路由"設定. 不轉發.

SG-6000(config)# show logging debug
2020-11-03 09:21:50, DEBUG@FLOW: core 1 (sys up 0x2c5073 ms): rx_handle_prepare: 529d.0f82.509d->5254.0001.0a01, size 54, type 0x800, vid 0, port ethernet0/0
dp_prepare_if_for_pak
Switchid is 30(interface ethernet0/0) port ethernet0/0 ,pak iif=ethernet0/0
Not from apm packet, return.
Not ha apm heart beat message.
rx_handle_prepare i_if is ethernet0/0
Start l3 forward
Packet: 192.168.200.2 -> 192.168.2.8, id: 24162, ip size 40, prot: 6(TCP): 1805 -> 23
ad_vector_for_fast_flow: zonename trust, proto_flag[1] 0, proto 6
dp_prepare_pak_lookup srcip: 192.168.200.2, dstip: 192.168.2.8, src-port:1805, dst-port:23, prot 6
No session found, try to create session
dp_first_crt_sess_init_flow0_from_pak_iif: set cpuid 0
-----------------First path creating new session-----------------
dp_sess_sm_transtion: Do session state machine transtion, id 293, state: 0, event: 0!
allocate pending session and install flow0
begin lookup predefine prot:6 port:23
Identified as app TELNET (prot=6). timeout 1800.
--------VR:trust-vr start--------
192.168.200.2:1805->192.168.2.8:23
No BNAT configured for this VR
No DNAT and DNS-rewrite configured for this VR
Get nexthop if_id: 31, flags: 0, nexthop: 192.168.2.8
Connection route.
Failed to get route to 192.168.200.2
The reverse route is invalid for force revs-route setting, drop the packet
Dropped: No reverse route, drop the packet
dp_sess_sm_transtion: Do session state machine transtion, id 293, state: 1, event: 4!
deny session:flow0 src 192.168.200.2 --> dst 192.168.2.8 Deny session installed successfully
--------VR:trust-vr end--------
-----------------------First path over (session not created)
Droppped: failed to create session, drop the packet (action=0)

====================
測驗2
源目標介面在相同安全域下(trust). 介面關閉"逆向路由"設定時的debug

結論: 無源ip路由資訊時. 關閉逆向路由. 防火墻對資料包進行轉發.

SG-6000(config)# show logging debug
2020-11-03 09:41:00, DEBUG@FLOW: core 1 (sys up 0x3dd9e2 ms): rx_handle_prepare: 529d.0f82.509d->5254.0001.0a01, size 54, type 0x800, vid 0, port ethernet0/0
dp_prepare_if_for_pak
Switchid is 30(interface ethernet0/0) port ethernet0/0 ,pak iif=ethernet0/0
Not from apm packet, return.
Not ha apm heart beat message.
rx_handle_prepare i_if is ethernet0/0
Start l3 forward
Packet: 192.168.200.2 -> 192.168.2.8, id: 20171, ip size 40, prot: 6(TCP): 1048 -> 23
ad_vector_for_fast_flow: zonename trust, proto_flag[1] 0, proto 6
dp_prepare_pak_lookup srcip: 192.168.200.2, dstip: 192.168.2.8, src-port:1048, dst-port:23, prot 6
No session found, try to create session
dp_first_crt_sess_init_flow0_from_pak_iif: set cpuid 0
-----------------First path creating new session-----------------
dp_sess_sm_transtion: Do session state machine transtion, id 290, state: 0, event: 0!
allocate pending session and install flow0
begin lookup predefine prot:6 port:23
Identified as app TELNET (prot=6). timeout 1800.
--------VR:trust-vr start--------
192.168.200.2:1048->192.168.2.8:23
No BNAT configured for this VR
No DNAT and DNS-rewrite configured for this VR
Get nexthop if_id: 31, flags: 0, nexthop: 192.168.2.8
Connection route.
--------VR:trust-vr end--------
Start policy lookup.
Pak src zone trust, dst zone trust, prot 6, dst-port 23.
Policy 1 matches, =PERMIT=
crt_sess->flow0_io_cpuid 0
flow0 src 192.168.200.2 --> dst 192.168.2.8 with nexthop 192.168.2.8 ifindex 31
flow1 src 192.168.2.8 --> dst 192.168.200.2 nexthop not lookup or invalid
flow0’s next hop: 0.0.0.0 flow1’s next hop: 192.168.2.8
crt_sess->revs_rres.gw: 0.0.0.0, crt_sess->forw_rres.gw 192.168.2.8
Calculate flow1 hash, srcip: 192.168.2.8, dstip: 192.168.200.2, lports: 170418, prot: 6, token: 1
in flow_first profile_merge
------sess:290,app :5 init in first proc
Application 5 hasn’t been registered, don’t need do ALG
APP inited for application TELNET
crt_sess policy_flag is 0000, session flag1 is 100000
TELNET: create session: atomic bit 0
session: id 290, prot 6, flag0 0,flag1 100000, created 4053, life 1800
flow0(if id: 30 flow id: 580 flag: 40200810):192.168.200.2:1048
->192.168.2.8:23
flow1(if id: 31 flow id: 581 flag: 0): 192.168.2.8:23
->192.168.200.2:1048
dp_sess_sm_transtion: Do session state machine transtion, id 290, state: 1, event: 3!
The following session is installed
session: id 290, prot 6, flag0 0,flag1 100000, created 4053, life 1800
flow0(if id: 30 flow id: 580 flag: 40200810):192.168.200.2:1048
->192.168.2.8:23
flow1(if id: 31 flow id: 581 flag: 800): 192.168.2.8:23
->192.168.200.2:1048
Session installed successfully

S>* 0.0.0.0/0 [1/0/1] via 192.168.2.8, ethernet0/1

測驗3
源目標介面在相同安全域下(trust).
防火墻增加一條默認網關. 相當于把原ip設定了一條路由資訊. 但與來的方向不符.
開啟逆向路由
這里省略debug資訊輸出.
Connection route.
Found the reverse route for force or prefer revs-route setting

結論是有srcip的路由.就轉發. 這條路由是default gateway設定的.

測驗4
源目標介面在相同安全域下(trust).
沒有做其他更改.
將防火墻介面的逆向路由設定為自動

結論是有srcip的路由.就轉發. 這條路由是default gateway設定的.

================
以下測驗入,出介面不在相同安全域的情況.

測驗5
源目標介面在不同安全域下(untrust -> trust).
默認路由包含src-ip
開啟逆向路由開關

防火墻不轉發資料,看提示還建立了deny session. 看起來和緊的urpf又比較像了.

SG-6000DBG# show logging debug
2020-11-03 10:22:02, DEBUG@FLOW: core 1 (sys up 0x44297 ms): rx_handle_prepare: b2f8.02da.0ca4->5254.0001.0a01, size 54, type 0x800, vid 0, port ethernet0/0
dp_prepare_if_for_pak
Switchid is 30(interface ethernet0/0) port ethernet0/0 ,pak iif=ethernet0/0
Not from apm packet, return.
Not ha apm heart beat message.
rx_handle_prepare i_if is ethernet0/0
Start l3 forward
Packet: 192.168.200.2 -> 192.168.2.8, id: 5649, ip size 40, prot: 6(TCP): 2537 -> 23
ad_vector_for_fast_flow: zonename untrust, proto_flag[1] 7, proto 6
dp_prepare_pak_lookup srcip: 192.168.200.2, dstip: 192.168.2.8, src-port:2537, dst-port:23, prot 6
No session found, try to create session
dp_first_crt_sess_init_flow0_from_pak_iif: set cpuid 0
-----------------First path creating new session-----------------
dp_sess_sm_transtion: Do session state machine transtion, id 15, state: 0, event: 0!
allocate pending session and install flow0
begin lookup predefine prot:6 port:23
Identified as app TELNET (prot=6). timeout 1800.
--------VR:trust-vr start--------
192.168.200.2:2537->192.168.2.8:23
No BNAT configured for this VR
No DNAT and DNS-rewrite configured for this VR
Get nexthop if_id: 31, flags: 0, nexthop: 192.168.2.8
Connection route.
Dropped: Address spoof detected!!
Dropped: No reverse route, drop the packet
dp_sess_sm_transtion: Do session state machine transtion, id 15, state: 1, event: 4!
deny session:flow0 src 192.168.200.2 --> dst 192.168.2.8 Deny session installed successfully
--------VR:trust-vr end--------
-----------------------First path over (session not created)
Droppped: failed to create session, drop the packet (action=0)

測驗6

源目標介面在不同安全域下(untrust -> trust).
默認路由包含src-ip
關閉逆向路由開關

防火墻進行轉發了.

SG-6000DBG# show logging debug
2020-11-03 10:31:22, DEBUG@FLOW: core 1 (sys up 0xccc0b ms): rx_handle_prepare: b2f8.02da.0ca4->5254.0001.0a01, size 54, type 0x800, vid 0, port ethernet0/0
dp_prepare_if_for_pak
Switchid is 30(interface ethernet0/0) port ethernet0/0 ,pak iif=ethernet0/0
Not from apm packet, return.
Not ha apm heart beat message.
rx_handle_prepare i_if is ethernet0/0
Start l3 forward
Packet: 192.168.200.2 -> 192.168.2.8, id: 1591, ip size 40, prot: 6(TCP): 2301 -> 23
ad_vector_for_fast_flow: zonename untrust, proto_flag[1] 7, proto 6
dp_prepare_pak_lookup srcip: 192.168.200.2, dstip: 192.168.2.8, src-port:2301, dst-port:23, prot 6
No session found, try to create session
dp_first_crt_sess_init_flow0_from_pak_iif: set cpuid 0
-----------------First path creating new session-----------------
dp_sess_sm_transtion: Do session state machine transtion, id 8, state: 0, event: 0!
allocate pending session and install flow0
begin lookup predefine prot:6 port:23
Identified as app TELNET (prot=6). timeout 1800.
--------VR:trust-vr start--------
192.168.200.2:2301->192.168.2.8:23
No BNAT configured for this VR
No DNAT and DNS-rewrite configured for this VR
Get nexthop if_id: 31, flags: 0, nexthop: 192.168.2.8
Connection route.
--------VR:trust-vr end--------
Start policy lookup.
Pak src zone untrust, dst zone trust, prot 6, dst-port 23.
Policy 1 matches, =PERMIT=
crt_sess->flow0_io_cpuid 0
flow0 src 192.168.200.2 --> dst 192.168.2.8 with nexthop 192.168.2.8 ifindex 31
flow1 src 192.168.2.8 --> dst 192.168.200.2 nexthop not lookup or invalid
flow0’s next hop: 0.0.0.0 flow1’s next hop: 192.168.2.8
crt_sess->revs_rres.gw: 0.0.0.0, crt_sess->forw_rres.gw 192.168.2.8
Calculate flow1 hash, srcip: 192.168.2.8, dstip: 192.168.200.2, lports: 1708fd, prot: 6, token: 1
in flow_first profile_merge
------sess:8,app :5 init in first proc
Application 5 hasn’t been registered, don’t need do ALG
APP inited for application TELNET
crt_sess policy_flag is 0000, session flag1 is 100000
TELNET: create session: atomic bit 0
session: id 8, prot 6, flag0 0,flag1 100000, created 838, life 1800
flow0(if id: 30 flow id: 16 flag: 200810):192.168.200.2:2301
->192.168.2.8:23
flow1(if id: 31 flow id: 17 flag: 40000000): 192.168.2.8:23
->192.168.200.2:2301
dp_sess_sm_transtion: Do session state machine transtion, id 8, state: 1, event: 3!
The following session is installed
session: id 8, prot 6, flag0 0,flag1 100000, created 838, life 1800
flow0(if id: 30 flow id: 16 flag: 200810):192.168.200.2:2301
->192.168.2.8:23
flow1(if id: 31 flow id: 17 flag: 40000800): 192.168.2.8:23
->192.168.200.2:2301
Session installed successfully

測驗7
源目標介面在不同安全域下(untrust -> trust).
默認路由包含src-ip
逆向路由開關設定為自動.

防火墻不轉發. 與開啟時相同.

===============
手冊中查到的資訊是這樣的.

配置介面逆向路由功能
逆向路由功能是指用于轉發反向資料的路由，反向是相對于初始化資料流方向，逆向路由功能僅適
用于三層介面，在介面配置模式下,使用以下命令完成逆向路由功能的配置:
reverse-route [ force | prefer ]

force – 強制逆向路由，如果能找到逆向路由則使用逆向路由轉發反向資料;如果找不到
逆向路由則丟棄資料包，默認情況下,三層介面強制逆向路由，

prefer – 優先逆向路由，如果能找到逆向路由則使用逆向路由轉發反向資料;如果找不
到逆向路由則按原路徑回傳(即從當前介面轉發出去)，
在介面配置模式下,使用 no reverse-route 命令取消逆向路由的使用，不使用逆向路由時,所
有反向資料原路回傳,不進行逆向路由檢查，
注意: 如果找到的逆向路由出介面和原入介面不在同一個安全域,設備仍會丟棄數
據包，

===================
測驗到這兒

結論:
如果討論"逆向路由"設定是否與urpf功能有關. 答案是有關系.

源目標介面在相同安全域下(trust).
當路由表中不包括srcip. and 介面開啟了"逆向路由"設定時.
這樣的資料包會被直接drop.
當關閉"逆向路由". or 選擇為自動. or 防火墻的路由資訊包括了srcip 時. 防火墻會建立session.

原目標介面不同相同安域下(untrust -> trust) 或者說src-ip來原與路由指向的安全域不符.時.
(這里沒有測驗不包含路由的情況)
關閉"逆向路由" 資料包會轉發.
將 “逆向路由” 設定為開或自動. 不轉發資料包.

會話保持部分沒有測驗. 其實這部分我也不清楚.

urpf 也應該包括這幾個模式. 嚴格urpf，松散urpf和忽略預設路由的urpf.
如果安全域相同. 山石在"逆向路由" 開關上控制的也許是 “松散urpf”
如果安全域不同. “逆向路由” 控制的是 “緊urpf” 和關閉兩種狀態.

轉載請註明出處，本文鏈接：https://www.uj5u.com/qita/202835.html

標籤：其他

上一篇：Mybatis 配置決議詳解及生存周期、作用域圖 D3

下一篇：中國移動創馬通信能力開放專題賽完美落幕，菊風VoLTE視頻客服專案榮獲二等獎

測驗山石防火墻 介面中 逆向路由 設定與urpf是否有關

測驗山石防火墻介面中逆向路由設定與urpf是否有關