Date: Mon, 2 May 2005 15:24:46 +0200 From: "Chris Knipe" <savage@savage.za.org> To: <bob@a1poweruser.com>, <freebsd-questions@lists.freebsd.org> Subject: Re: ipf out rule Message-ID: <004701c54f1a$4f9de8e0$0a01a8c0@ops.cenergynetworks.com> References: <MIEPLLIBMLEEABPDBIEGCEODHDAA.bob@a1poweruser.com>
next in thread | previous in thread | raw e-mail | index | archive | help
> First of all what I see in your log is just normal hacker traffic > probing for access to your box. Your firewall is doing it's job > denying this bogus traffic. I get over 1500 of these daily. I run > the "abuse reporting system" to report this junk to the owners of > the ip address range. You can download copy of the "abuse reporting > system" scripts from > http://www.unixguide.net/freebsd/fbsd_installguide/index.php Hmm ok, Thanks. I'll have a look at that. What I am picking up however, is that they only come after I browsed to a site for example. It may just be fragments or something. If it's not serious, it's not serious. I don't see any "affect" as such from using the server, so it must not be serious. > now about your rule set. > > 1. the Lo0 rules is just to allow your PC to talk to itself, so > 'keep state' option is wasted over head. Remove "keep state" from > those 2 rules. Thanks. > 2. this rule "block in log quick all with frag" is dropping all > frags so the "keep frag" option on all the rules is useless so > remove it from all rules. Allrighty. > 3. Your problem about ftp is not described enough in detail to > debug. Not working how? > Can you access public ftp sites from the firewall box and or from > LAN pc's? > Are you running a FTP server and remote users can not access your > ftp server? > If so is FTP server on firewall box or on LAN pc? > Add log option to your ftp rules and read log to view ftp packet > traffic to debug > Are you running NAT for LAN users, if so post NAT rules There are no "Internal" network, or LAN. This is a co-located server in a data center (thus firewall and all services are on the same machine). PASV FTP coming in to the server is not working logs: May 2 15:20:45 pyro pure-ftpd[23394]: (?@x.x.x.x) [INFO] New connection from x.x.x.x May 2 15:20:46 pyro pure-ftpd[23395]: (?@x.x.x.x) [INFO] cknipe is now logged in May 2 15:20:46 pyro ipmon[8689]: 15:20:46.628707 rl0 @0:62 b x.x.x.x,4049 -> a.a.a.122,33273 PR tcp len 20 48 -S IN May 2 15:20:49 pyro ipmon[8689]: 15:20:49.556181 rl0 @0:62 b x.x.x.x,4049 -> a.a.a.122,33273 PR tcp len 20 48 -S IN May 2 15:21:53 pyro pure-ftpd[23395]: (cknipe@x.x.x.x) [INFO] Logout. > 4. You are allowing out all services originating from behind your > firewall. This is a very unsecure practice. Your LAN PC's or the > firewall box it self could have a Trojan or spyware and you will > never know it. Change the rules to only allow out the services you > expect to be using like shown in the official handbook firewall > section. See above :) -- Chris. > -----Original Message----- > From: owner-freebsd-questions@freebsd.org > [mailto:owner-freebsd-questions@freebsd.org]On Behalf Of Chris Knipe > Sent: Monday, May 02, 2005 6:19 AM > To: freebsd-questions@lists.freebsd.org > Subject: Re: ipf out rule > > > Ok, that is fair enough. > > I did manage to get it up and running without locking myself out > though > *yay* > > I am having 2 issues mainly. > > FTP doesn't work at all (PASV or not), and I am getting allot of > false drops > on packets which *should* be allowed... > > Quick dump from the log file: > May 2 12:11:03 pyro ipmon[8689]: 12:11:02.335403 rl0 @0:62 b > y.y.195.133,1201 -> x.x.x.123,3128 PR tcp len 20 40 -AF IN > May 2 12:11:05 pyro ipmon[8689]: 12:11:04.760397 rl0 @0:62 b > y.y.195.133,1201 -> x.x.x.123,3128 PR tcp len 20 40 -AF IN > May 2 12:11:10 pyro ipmon[8689]: 12:11:09.787481 rl0 @0:62 b > y.y195.133,1201 -> x.x.x.123,3128 PR tcp len 20 40 -AF IN > May 2 12:11:20 pyro ipmon[8689]: 12:11:19.744860 rl0 @0:62 b > y.y.195.133,1201 -> x.x.x.123,3128 PR tcp len 20 40 -AF IN > May 2 12:11:40 pyro ipmon[8689]: 12:11:39.760718 rl0 @0:62 b > y.y.195.133,1201 -> x.x.x.123,3128 PR tcp len 20 40 -AF IN > > /etc/ipf.rules: > # lo0 - Loopback > pass in quick on lo0 all keep state > pass out quick on lo0 all keep state > > # Bad Packet Murder > block in log quick all with ipopts > block in log quick all with short > block in log quick all with frag > block return-rst in log quick proto tcp all flags FUP > block return-rst in log quick proto tcp all flags FSRPAU > > ################################################################# > # Outside Interfaces > ################################################################# > # rl0 - Outgoing > pass out quick on rl0 proto tcp from x.x.x.120/29 to any flags S > keep state > keep frags > pass out quick on rl0 proto udp from x.x.x.120/29 to any keep state > keep > frags > pass out quick on rl0 proto icmp from x.x.x.120/29 to any keep state > keep > frags > block out log quick on rl0 all > > ################################################################# > # Block and log all remaining traffic coming into the firewall > # - Block TCP with a RST (to make it appear as if the service > # isn't listening) > # - Block UDP with an ICMP Port Unreachable (to make it appear > # as if the service isn't listening) > # - Block all remaining traffic the good 'ol fashioned way > ################################################################# > # rl0 - Global Incoming > block in quick on rl0 from 0.0.0.0/7 to any > block in quick on rl0 from 2.0.0.0/8 to any > block in quick on rl0 from 5.0.0.0/8 to any > block in quick on rl0 from 10.0.0.0/8 to any > block in quick on rl0 from 23.0.0.0/8 to any > block in quick on rl0 from 27.0.0.0/8 to any > block in quick on rl0 from 31.0.0.0/8 to any > block in quick on rl0 from 69.0.0.0/8 to any > block in quick on rl0 from 70.0.0.0/7 to any > block in quick on rl0 from 72.0.0.0/5 to any > block in quick on rl0 from 82.0.0.0/7 to any > block in quick on rl0 from 84.0.0.0/6 to any > block in quick on rl0 from 88.0.0.0/5 to any > block in quick on rl0 from 96.0.0.0/3 to any > block in quick on rl0 from 127.0.0.0/8 to any > block in quick on rl0 from 128.0.0.0/16 to any > block in quick on rl0 from 128.66.0.0/16 to any > block in quick on rl0 from 169.254.0.0/16 to any > block in quick on rl0 from 172.16.0.0/12 to any > block in quick on rl0 from 191.255.0.0/16 to any > block in quick on rl0 from 192.0.0.0/19 to any > block in quick on rl0 from 192.0.48.0/20 to any > block in quick on rl0 from 192.0.64.0/18 to any > block in quick on rl0 from 192.0.128.0/17 to any > block in quick on rl0 from 192.168.0.0/16 to any > block in quick on rl0 from 197.0.0.0/8 to any > block in quick on rl0 from 201.0.0.0/8 to any > block in quick on rl0 from 204.152.64.0/23 to any > block in quick on rl0 from 219.0.0.0/8 to any > block in quick on rl0 from 220.0.0.0/6 to any > block in quick on rl0 from 224.0.0.0/3 to any > > # rl0 - ICMP, 0 = Echo Reply, 3 = Arb Unreachable, 11 = TTL > pass in quick on rl0 proto icmp all icmp-type 0 > pass in quick on rl0 proto icmp all icmp-type 3 > pass in quick on rl0 proto icmp all icmp-type 11 > > # rl0 - x.x.x.122 FTP, FTP-DATA > pass in quick on rl0 proto tcp from any to x.x.x.122 port = 21 flags > S keep > state > pass in quick on rl0 proto tcp from any to x.x.x.122 port > 49151 > flags S > keep state > pass out quick on rl0 proto tcp from x.x.x.122 port = 20 to any > flags S keep > state > > # rl0 - x.x.x.122 SSH > pass in quick on rl0 proto tcp from any to x.x.x.122 port = 22 flags > S keep > state keep frags > > # rl0 - x.x.x.122 SMTP > pass in quick on rl0 proto tcp from any to x.x.x.122 port = 25 flags > S keep > state keep frags > > # rl0 - x.x.x.122 DNS > pass in quick on rl0 proto udp from any to x.x.x.122 port = 53 keep > state > keep frags > pass in quick on rl0 proto tcp from any to x.x.x.122 port = 53 flags > S keep > state keep frags > > # rl0 - x.x.x.122 HTTP, HTTPS > pass in quick on rl0 proto tcp from any to x.x.x.122 port = 80 flags > S keep > state keep frags > pass in quick on rl0 proto tcp from any to x.x.x.122 port = 443 > flags S keep > state keep frags > > # rl0 - x.x.x.122 POP3 > pass in quick on rl0 proto tcp from any to x.x.x.122 port = 110 > flags S keep > state keep frags > > # rl0 - x.x.x.122 NTP > pass in quick on rl0 proto udp from a.a.a.a to x.x.x.122 port = 123 > keep > state keep frags > pass in quick on rl0 proto udp from b.b.b.b to x.x.x.122 port = 123 > keep > state keep frags > pass in quick on rl0 proto udp from c.c.c.c to x.x.x.122 port = 123 > keep > state keep frags > > # rl0 - x.x.x.122 MySQL > pass in quick on rl0 proto tcp from x.x.x.120/29 to x.x.x.122 port = > 3306 > flags S keep state keep frags > > # rl0 - x.x.x.123 DNS > pass in quick on rl0 proto udp from x.x.x.120/29 to x.x.x.123 port = > 53 keep > state keep frags > > # rl0 - x.x.x.123 Squid > pass in quick on rl0 proto tcp from x.x.x.120/29 to x.x.x.123 port = > 3128 > flags S keep state keep frags > pass in quick on rl0 proto tcp from y.y.0.0/16 to x.x.x.123 port = > 3128 > flags S keep state keep frags > pass in quick on rl0 proto tcp from z.z.0.0/16 to x.x.x.123 port = > 3128 > flags S keep state keep frags > pass in quick on rl0 proto tcp from x.x.x.120/29 to x.x.x.123 port = > 3130 > flags S keep state keep frags > > # rl0 - x.x.x.123 PMX > pass in quick on rl0 proto tcp from x.x.x.122 to x.x.x.123 port = > 10024 > flags S keep state keep frags > pass in quick on rl0 proto tcp from any to x.x.x.123 port = 18080 > flags S > keep state keep frags > pass in quick on rl0 proto tcp from any to x.x.x.123 port = 28080 > flags S > keep state keep frags > > # Le Grande Finale > block in log quick on rl0 all > > As always, looking forward to some help :) > > -- > Chris. > > I love deadlines. I especially love the whooshing sound they make as > they > fly by..." - Douglas Adams, 'Hitchhiker's Guide to the Galaxy' > > ----- Original Message ----- > From: <bob@a1poweruser.com> > To: "Chris Knipe" <savage@savage.za.org>; > <freebsd-questions@lists.freebsd.org> > Sent: Monday, May 02, 2005 1:56 AM > Subject: RE: ipf out rule > > >> When asking for help with firewall rules you have to post complete >> content of firewall rule set file because some previous rule may > be >> dropping all packets. If this is your complete rule set them you > are >> missing the mandatory L0 interface rule to pass quick all. rl0 > must >> be Nic connected to public internet. x.x.x.120/29 is ip address >> range of pc's on private LAN behind firewall. This is not much of >> firewall with everything being allowed out. You could replace all >> of these meaning less statements with pass quick all from any to >> any >> >> You really need to read firewall section of the official handbook. >> It has working examples of ipf.rules rule set along with detailed >> explanation of how to build firewall rules. >> >> -----Original Message----- >> From: owner-freebsd-questions@freebsd.org >> [mailto:owner-freebsd-questions@freebsd.org]On Behalf Of Chris > Knipe >> Sent: Sunday, May 01, 2005 6:56 PM >> To: freebsd-questions@lists.freebsd.org >> Subject: ipf out rule >> >> >> Hi, >> >> Can anyone take a minute to just explain to me why ipf is blocking >> this... >> >> ipf.rules: >> # rl0 - Outgoing >> pass out quick on rl0 proto tcp from x.x.x.120/29 to any flags S >> keep state >> keep frags >> pass out quick on rl0 proto udp from x.x.x.120/29 to any keep > state >> keep >> frags >> pass out quick on rl0 proto icmp from x.x.x.120/29 to any keep > state >> keep >> frags >> block out log quick on rl0 all >> >> ipftest: >> opening rule file "ipf.new" >> in on rl0 tcp 196.25.1.1,2210 x.x.x.122,22 >> input: in on rl0 tcp 196.25.1.1,2210 x.x.x.122,22 >> pass ip 40(20) 6 196.25.1.1,2210 > x.x.x.122,22 >> -------------- >> out on rl0 tcp x.x.x.122,22 196.25.1.1,2210 >> input: out on rl0 tcp x.x.x.122,22 196.25.1.1,2210 >> block ip 40(20) 6 x.x.x.122,22 > 196.25.1.1,2210 >> >> Thanks. >> >> >> -- >> Chris. >> >> I love deadlines. I especially love the whooshing sound they make > as >> they >> fly by..." - Douglas Adams, 'Hitchhiker's Guide to the Galaxy' >> >> _______________________________________________ >> freebsd-questions@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-questions >> To unsubscribe, send any mail to >> "freebsd-questions-unsubscribe@freebsd.org" >> >> _______________________________________________ >> freebsd-questions@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-questions >> To unsubscribe, send any mail to >> "freebsd-questions-unsubscribe@freebsd.org" >> > > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to > "freebsd-questions-unsubscribe@freebsd.org" > >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?004701c54f1a$4f9de8e0$0a01a8c0>