IPFW additions incompatible with Firefox

GhostSBH

The new IPFW settings have many additions for keep-state... however, I found there's a conflict when setting up Firefox and adding extensions - the process fails and keeps restarting the openVPN process (soft reset).
Removing the extra IPFW defaults solves the issue and the Firefox extensions are found and can be installed.
Not being knowledgeable on IPFW processes can anyone determine what's causing the issue please.

The old defaults are lines:
00100 allow ip from any to any via lo0
00200 deny ip from any to 127.0.0.0/8
00300 deny ip from 127.0.0.0/8 to any
00400 deny ip from any to ::1
00500 deny ip from ::1 to any
00600 allow ipv6-icmp from :: to ff02::/16
00700 allow ipv6-icmp from fe80::/10 to fe80::/10
00800 allow ipv6-icmp from fe80::/10 to ff02::/16
00900 allow ipv6-icmp from any to any icmp6types 1
01000 allow ipv6-icmp from any to any icmp6types 2,135,136
65535 allow ip from any to any

The new default IPFW lines (were you to install from the latest ISO):
00100 allow ip from any to any via lo0
00200 deny ip from any to 127.0.0.0/8
00300 deny ip from 127.0.0.0/8 to any
00400 deny ip from any to ::1
00500 deny ip from ::1 to any
00600 allow ipv6-icmp from :: to ff02::/16
00700 allow ipv6-icmp from fe80::/10 to fe80::/10
00800 allow ipv6-icmp from fe80::/10 to ff02::/16
00900 allow ipv6-icmp from any to any icmp6types 1
01000 allow ipv6-icmp from any to any icmp6types 2,135,136
01100 check-state :default
01200 allow tcp from me to any established
01300 allow tcp from me to any setup keep-state :default
01400 allow udp from me to any keep-state :default
01500 allow icmp from me to any keep-state :default
01600 allow ipv6-icmp from me to any keep-state :default
01700 allow udp from 0.0.0.0 68 to 255.255.255.255 67 out
01800 allow udp from any 67 to me 68 in
01900 allow udp from any 67 to 255.255.255.255 68 in
02000 allow udp from fe80::/10 to me 546 in
02100 allow icmp from any to any icmptypes 8
02200 allow ipv6-icmp from any to any icmp6types 128,129
02300 allow icmp from any to any icmptypes 3,4,11
02400 allow ipv6-icmp from any to any icmp6types 3
65000 count ip from any to any
65100 deny { tcp or udp } from any to any 135-139,445 in
65200 deny { tcp or udp } from any to any 1026,1027 in
65300 deny { tcp or udp } from any to any 1433,1434 in
65400 deny ip from any to 255.255.255.255
65500 deny ip from any to 224.0.0.0/24 in
65500 deny udp from any to any 520 in
65500 deny tcp from any 80,443 to any 1024-65535 in
65500 deny ip from any to any
65535 allow ip from any to any

vimanuelt

Yes, you are correct. The problem is caused by the new default rules that aggressively use keep-state. When Firefox installs extensions, it opens a large number of simultaneous connections, many of which use QUIC over UDP/443. These create a flood of dynamic states in IPFW. Once the state table fills up, older entries such as your OpenVPN session get evicted. With no matching state, VPN packets are blocked by the later deny rules, and OpenVPN does a soft reset.

The simplest way to fix this is to either increase the size of the dynamic state table, or to pin your VPN traffic with an explicit “allow” rule before the generic keep-state rules. Another option is to disable QUIC so Firefox doesn’t generate so many transient UDP states. Finally, cleaning up duplicate 65500 deny rules and making sure you end with a single, clear default-deny will make troubleshooting easier.

In short, Firefox’s QUIC traffic is exhausting IPFW’s dynamic state table under the new rules, and that’s what is disrupting your VPN. Enlarging the table or isolating VPN traffic with its own rules will stabilize the setup.

To get a permanent fix, submit a bug report: ghostbsd/issuesissues

GhostSBH

Thanks for the prompt response
Rather than increase sizes of variables of keep-states I chose to reduce the up-time of the states instead.
Internet speeds aren't dial-up anymore. The following new values work on my system:
net.inet.ip.fw.dyn_short_lifetime=3
net.inet.ip.fw.dyn_udp_lifetime=3
net.inet.ip.fw.dyn_rst_lifetime=2
net.inet.ip.fw.dyn_fin_lifetime=1
net.inet.ip.fw.dyn_syn_lifetime=9
net.inet.ip.fw.dyn_ack_lifetime=300
net.inet.ip.fw.dyn_parent_max=4096
net.inet.ip.fw.dyn_max=4096
net.inet.ip.fw.dyn_buckets=2048

I've raised this solution in a bug report.

vimanuelt

Reducing state lifetimes is a valid strategy to keep the IPFW table small, and shortening SYN, FIN, and RST timers is generally safe since those states are transient. However, setting dyn_udp_lifetime as low as three seconds can be risky because long-lived UDP flows like VPN, DNS, or VoIP may be dropped if idle for more than a few seconds. Similarly, lowering the ACK lifetime to 300 seconds may force idle TCP sessions, such as SSH, to reconnect sooner than expected. A more balanced approach is to keep the short handshakes (SYN/FIN/RST) very low, but give UDP at least 10–30 seconds and ACK lifetimes 10–15 minutes, which still limits table growth without disrupting stable connections. In short, your settings can work if all your traffic patterns tolerate them, but they are aggressive and could cause subtle breakages; slightly higher lifetimes for UDP and ACK states are a safer compromise.

GhostSBH

vimanuelt
Thanks for the update....
I'm testing the current settings and so far haven't had any VPN or other issues timing-out. Please feel free to modify the bug report in light of your experiences.

Note that that the multiple 65500's are actually default settings from the current ISO install - I didn't modify them - so it's how FreeBSD/GhostBSD IPFW is set up.