Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 26 Jun 2001 14:17:21 -0400
From:      Steve Shorter <steve@nomad.lets.net>
To:        freebsd-security@freebsd.org
Subject:   IPFilter - this should work but doesnt?
Message-ID:  <20010626141721.B7785@nomad.lets.net>
In-Reply-To: <20010626205606.K20517@lucky.net>; from netch@lucky.net on Tue, Jun 26, 2001 at 08:56:06PM %2B0300
References:  <847.993575263@axl.seasidesoftware.co.za> <20010626205606.K20517@lucky.net>
next in thread | previous in thread | raw e-mail | index | archive | help 
Howdy!

	I have some diskless frontend servers behind a Cisco Firewall and
am using ipfilter on the servers to solve some local access/security issues.


	OS - FreeBSD 4.3
	IPFilter - 3.4.16, default pass all,

	Here are two ipf.rules segments from otherwise identical files. When
the first segment is included everthing works good, while  if the secound
is substituted it hangs on loading (though somethimes it does work, but usually
not), probably because NFS is fubar'd


# ipf -v -Fa -f /etc/ipf.rules 
remove flags IO (12)
removed 0 filter rules
[block in log level local0.warn quick all with ipopts]

[snip]

[block out log level local0.warn quick on fxp1 all head 112]
block out log level local0.warn quick on fxp1(!) from any to any head 112
[block in log level local0.warn quick on fxp2 all head 121]
block in log level local0.warn quick on fxp2(!) from any to any head 121
[block out log level local0.warn quick on fxp2 all]
block out log level local0.warn quick on fxp2(!) from any to any
[pass in quick on lo0 from 127.0.0.0/8 to 127.0.0.0/8 ]
pass in quick on lo0(!) from 127.0.0.0/8 to 127.0.0.0/8
[pass out quick on lo0 from 127.0.0.0/8 to 127.0.0.0/8]
pass out quick on lo0(!) from 127.0.0.0/8 to 127.0.0.0/8
[pass in quick proto udp from 192.168.10.4/32 port = nfsd to 192.168.10.7/32 port < 1024 keep state keep frags group 101]

	hangs  at this point ...


	Is the fxp1(!) and similar important? What does it mean?

	The secound should work (I  think) and I prefer it structurally.


	Ideas? thanx -steve


# This works good

block in all
block out all

block in log level local0.warn quick all with ipopts
block in log level local0.warn quick all with short

block in log level local0.warn quick proto icmp from any to any
block out log level local0.warn quick proto icmp from any to any

# If I put the next 2 lines in group 101 and 102 doesn't work
pass in quick proto udp from 192.168.10.4/32 port = nfsd to 192.168.10.7/32 port < 1024 keep state keep frags
pass out quick proto udp from 192.168.10.7/32 port < 1024 to 192.168.10.4/32 port = nfsd keep state keep frags

block in log level local0.warn quick on fxp0 all head 101
block out log level local0.warn quick on fxp0 all head 102
block in log level local0.warn quick on fxp1 all head 111
block out log level local0.warn quick on fxp1 all head 112
block in log level local0.warn quick on fxp2 all head 121
block out log level local0.warn quick on fxp2 all

pass in quick on lo0 from 127.0.0.0/8 to 127.0.0.0/8 
pass out quick on lo0 from 127.0.0.0/8 to 127.0.0.0/8

# group 101 - fxp0 - IN
#
pass in quick proto udp from 192.168.10.1/32 to 192.168.10.7/32 port = snmp keep state group 101
pass in quick proto tcp from 192.168.10.1/32 to 192.168.10.7/32 port = ssh flags S/SA keep state group 101

# group 102 - fxp0 - OUT
#
pass out quick proto udp from 192.168.10.7/32 to 192.168.10.1/32 port = domain keep state group 102
pass out quick proto udp from 192.168.10.7/32 port = syslog to 192.168.10.1/32 port = syslog keep state group 102
pass out quick proto udp from 192.168.10.7/32 to 192.168.10.1/32 port = ntp keep state group 102
pass out quick proto tcp from 192.168.10.7/32 to 192.168.10.1/32 port = qmqp keep state group 102


# group 111 - fxp1
#
pass in quick proto udp from 192.168.30.4/32 port = nfsd to 192.168.30.7/32 port < 1024 keep state keep frags group 111

[ etc ... etc .. nothing interesting...    snip]






# This doesnt Work
block in all
block out all

block in log level local0.warn quick all with ipopts
block in log level local0.warn quick all with short

block in log level local0.warn quick proto icmp from any to any
block out log level local0.warn quick proto icmp from any to any

block in log level local0.warn quick on fxp0 all head 101
block out log level local0.warn quick on fxp0 all head 102
block in log level local0.warn quick on fxp1 all head 111
block out log level local0.warn quick on fxp1 all head 112
block in log level local0.warn quick on fxp2 all head 121
block out log level local0.warn quick on fxp2 all

pass in quick on lo0 from 127.0.0.0/8 to 127.0.0.0/8 
pass out quick on lo0 from 127.0.0.0/8 to 127.0.0.0/8

# group 101 - fxp0 - IN
#
# having the next line in this ruleset seems structurally better and 
# should work but doesn't, Works good if inserted earlier
pass in quick proto udp from 192.168.10.4/32 port = nfsd to 192.168.10.7/32 port < 1024 keep state keep frags group 101
pass in quick proto udp from 192.168.10.1/32 to 192.168.10.7/32 port = snmp keep state group 101
pass in quick proto tcp from 192.168.10.1/32 to 192.168.10.7/32 port = ssh flags S/SA keep state group 101

# group 102 - fxp0 - OUT
#
# having the next line in this ruleset seems structurally better and 
# should work but doesn't, Works good if inserted earlier
pass out quick proto udp from 192.168.10.7/32 port < 1024 to 192.168.10.4/32 port = nfsd keep state keep frags group 102
pass out quick proto udp from 192.168.10.7/32 to 192.168.10.1/32 port = domain keep state group 102
pass out quick proto udp from 192.168.10.7/32 port = syslog to 192.168.10.1/32 port = syslog keep state group 102
pass out quick proto udp from 192.168.10.7/32 to 192.168.10.1/32 port = ntp keep state group 102
pass out quick proto tcp from 192.168.10.7/32 to 192.168.10.1/32 port = qmqp keep state group 102


# group 111 - fxp1
#
pass in quick proto udp from 192.168.30.4/32 port = nfsd to 192.168.30.7/32 port < 1024 keep state keep frags group 111

# group 112 - fxp1
#
pass out quick proto udp from 192.168.30.7/32 port < 1024 to 192.168.30.4/32 port = nfsd keep state keep frags group 112
pass out quick proto tcp from 192.168.60.7/32 port > 1023 to 192.168.60.0/24 port = http keep state group 112
pass out quick proto udp from 192.168.30.7/32 to 192.168.30.5/32 port = domain keep state group 121

# group 121 - fxp2
[ etc .. etc.. nothing interesting   snip]



	Thanks for insight  - steve

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010626141721.B7785>