Date: Wed, 18 Dec 2002 12:35:47 -0500 From: "Robin P. Blanchard" <robin.blanchard@gactr.uga.edu> To: "'Clifton Royston'" <cliftonr@lava.net> Cc: <stable@freebsd.org> Subject: RE: ipfilter / ipnat quandry Message-ID: <EE3D3FBAFFCAED448C21C398FDAD91AC01077A@EBE1.gc.nat> In-Reply-To: <20021217090259.C17469@lava.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Still trying to figure out what's happening with ruleset as I'm not
happy with nmap'd results...Could someone perhaps shed some light as to
what in my "optimised" rulset is creating this divergence of nmap
results, I'd greatly appreciate it. Thanks very much in advance.
Using a minimal rulseset of:
block in on tx0 all
pass out on tx0 all
pass in on xl0 all
pass out on xl0 all
pass in quick on tx0 proto tcp from any to any port = 22 flags S keep
state keep frags
An external nmap yields:
...snip...
Interesting ports on host.name (a.b.c.d):
(The 1600 ports scanned but not shown below are in state: filtered)
Port State Service
22/tcp open ssh
No OS matches for host (test conditions non-ideal).
But using my "optimised" ruleset of:
# tx0 == external
# xl0 == internal
# defaults
count in all
count out all
block in log quick all with opt lsrr
block in log quick all with opt ssrr
block in log quick all with ipopts
block return-rst in log quick proto tcp all with short
block return-icmp(0) in log quick proto udp all with short
block return-icmp(0) in log quick proto icmp all with frags
block in on tx0 all
# overrides
pass in quick on tx0 proto udp from 66.188.79.136/32 port = 68 to
255.255.255.255 port = 67
block in quick on tx0 proto udp from 10.138.32.1/32 port = 67 to
255.255.255.255 port = 68
block in quick on tx0 from 192.168.100.1/32 to 224.0.0.1/32
# self-spoof, nonrouteables, multicast, net-zero, broadcast
block in log quick on tx0 from a.b.c.d/32 to any
block in log quick on tx0 from 0.0.0.0/32 to any
block in log quick on tx0 from 10.0.0.0/8 to any
block in log quick on tx0 from 127.0.0.0/8 to any
block in log quick on tx0 from 172.16.0.0/12 to any
block in log quick on tx0 from 192.0.2.0/24 to any
block in log quick on tx0 from 192.168.0.0/16 to any
block in log quick on tx0 from 204.152.64.0/23 to any
block in log quick on tx0 from 224.0.0.0/3 to any
block in log quick on tx0 from 255.255.255.255/32 to any
block in log quick on tx0 from any to 0.0.0.0/32
block in log quick on tx0 from any to 10.0.0.0/8
block in log quick on tx0 from any to 127.0.0.0/8
block in log quick on tx0 from any to 172.16.0.0/12
block in log quick on tx0 from any to 192.0.2.0/24
block in log quick on tx0 from any to 192.168.0.0/16
block in log quick on tx0 from any to 204.152.64.0/23
block in log quick on tx0 from any to 224.0.0.0/3
block in log quick on tx0 from any to 255.255.255.255/32
block out quick on tx0 from 0.0.0.0/32 to any
block out quick on tx0 from 10.0.0.0/8 to any
block out quick on tx0 from 127.0.0.0/8 to any
block out quick on tx0 from 172.16.0.0/12 to any
block out quick on tx0 from 192.0.2.0/24 to any
#block out log quick on tx0 from 192.168.0.0/16 to any
block out quick on tx0 from 204.152.64.0/23 to any
block out quick on tx0 from 224.0.0.0/3 to any
block out quick on tx0 from 255.255.255.255/32 to any
block out quick on tx0 from any to 0.0.0.0/32
block out quick on tx0 from any to 10.0.0.0/8
block out quick on tx0 from any to 127.0.0.0/8
block out quick on tx0 from any to 172.16.0.0/12
block out quick on tx0 from any to 192.0.2.0/24
block out quick on tx0 from any to 192.168.0.0/16
block out quick on tx0 from any to 204.152.64.0/23
block out quick on tx0 from any to 224.0.0.0/3
block out quick on tx0 from any to 255.255.255.255/32
# icmp incoming
pass in quick on tx0 proto icmp all icmp-type 0
#pass in quick on tx0 proto icmp all icmp-type 3
pass in quick on tx0 proto icmp all icmp-type 8
pass in quick on tx0 proto icmp all icmp-type 11
block return-icmp(0) in log quick on tx0 proto icmp all
# tcp / udp incoming: default deny unless matched below
pass in quick on tx0 proto tcp from any to any port = 22 flags S keep
state keep frags
#pass in quick on tx0 proto tcp from any to any port = 80 flags S keep
state keep frags
#pass in quick on tx0 proto tcp from any to any port = 443 flags S keep
state keep frags
#pass in quick on tx0 proto tcp from any to any port = 5001 flags S keep
state keep frags
pass in quick on tx0 proto udp from 216.140.56.250 port = 53 to any keep
state
pass in quick on tx0 proto udp from 205.152.0.20 port = 53 to any keep
state
pass in quick on tx0 proto udp from 205.152.16.20 port = 53 to any keep
state
pass in quick on tx0 proto udp from 205.152.32.20 port = 53 to any keep
state
pass in quick on tx0 proto udp from 205.152.0.5 port = 53 to any keep
state
pass in quick on tx0 proto udp from 66.188.79.136 port = 53 to any keep
state
pass in quick on tx0 proto udp from 209.186.12.3 port = 53 to any keep
state
pass in quick on tx0 proto udp from 209.186.12.30 port = 53 to any keep
state
block return-rst in log quick on tx0 proto tcp from any to any flags FUP
block return-rst in log quick on tx0 proto tcp from any to any flags
SF/SFRA
block return-rst in log quick on tx0 proto tcp from any to any flags
/SFRA
block return-icmp(0) in log quick on tx0 proto udp all
block return-rst in log quick on tx0 proto tcp all
block in log quick on tx0 all
# outbound on tx0
block out quick on tx0 proto tcp/udp from any to any port = 135
block out quick on tx0 proto tcp/udp from any port = 135 to any
block out quick on tx0 proto tcp/udp from any to any port 136 >< 140
block out quick on tx0 proto tcp/udp from any port 136 >< 140 to any
block out quick on tx0 proto tcp/udp from any to any port = 445
block out quick on tx0 proto tcp/udp from any port = 445 to any
#block out quick on tx0 proto tcp/udp from any to any port = 5000
#block out quick on tx0 proto tcp/udp from any port = 5000 to any
# everything else pass
pass out quick on tx0 proto tcp all flags S keep state keep frags
pass out quick on tx0 proto udp all keep state keep frags
pass out quick on tx0 proto icmp all keep state keep frags
pass out quick on tx0 all
# intranet
pass in quick on lo0 all
pass out quick on lo0 all
pass in quick on xl0 all
pass out quick on xl0 all
The same external nmap yields:
Interesting ports on host.name (a.b.c.d):
(The 1584 ports scanned but not shown below are in state: closed)
Port State Service
22/tcp open ssh
161/tcp filtered snmp
162/tcp filtered snmptrap
199/tcp filtered smux
391/tcp filtered synotics-relay
705/tcp filtered unknown
1234/tcp filtered hotline
1433/tcp filtered ms-sql-s
1900/tcp filtered UPnP
1993/tcp filtered snmp-tcp-port
5050/tcp filtered mmcc
6346/tcp filtered gnutella
6666/tcp filtered irc-serv
6667/tcp filtered irc
6668/tcp filtered irc
6699/tcp filtered napster
8888/tcp filtered sun-answerbook
No OS matches for host (If you know what OS is running on it....
----------------------------------------
Robin P. Blanchard
Systems Integration Specialist
Georgia Center for Continuing Education
fon: 706.542.2404 <|> fax: 706.542.6546
----------------------------------------
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?EE3D3FBAFFCAED448C21C398FDAD91AC01077A>