Date: Fri, 5 Nov 1999 09:43:10 +1100 From: "Wyatt, Anthony" <Anthony.Wyatt@its.csiro.au> To: "'freebsd-security@FreeBSD.ORG'" <freebsd-security@FreeBSD.ORG> Subject: ipfilter too secure... Message-ID: <F232EAD3304FD211BD3C00A0C99AFA9F02B0ECC6@hermes.la.csiro.au>
index | next in thread | raw e-mail
[-- Attachment #1 --]
Hi,
I don't know where to post this, so this is where it's going :-)
I think this is a bug (perhaps a user bug but a bug none the less).
I installed ipfilter on a Solaris box the day before yesterday and
got it up and running. I rebuilt my FreeBSD box yesterday (to 3.3-current
), but I can't get the stateful filtering to work properly. Of most
annoyance, is the timeout of my ssh sessions to the FreeBSD box, even though
I have made a full connection, 120 seconds is my limit. I did a ipfstat -s
and the ttl starts at about 120 and the state never changes from 0/4. I use
the exact same ruleset on the Solaris box and it does change the state from
0/4 to 4/4 and ttl to 5 days...
I'll attach my kernel config, the ipfilter I'm using and my dmesg
output at the bottom incase I've done something weird.
If this isn't the place for this can you point me in the right
direction.
Thanks,
Anthony
<<dmesg.txt>> <<ipf.config.txt>> <<kernel.txt>>
[-- Attachment #2 --]
Copyright (c) 1992-1999 FreeBSD Inc.
Copyright (c) 1982, 1986, 1989, 1991, 1993
The Regents of the University of California. All rights reserved.
FreeBSD 3.3-STABLE #6: Fri Nov 5 08:00:07 EST 1999
root@hades-mi.cbr.its.csiro.au:/usr/src/sys/compile/LAPTOP
Timecounter "i8254" frequency 1193182 Hz
CPU: Pentium II/Xeon/Celeron (267.27-MHz 686-class CPU)
Origin = "GenuineIntel" Id = 0x650 Stepping = 0
Features=0x183f9ff<FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,MMX,FXSR>
real memory = 134217728 (131072K bytes)
avail memory = 126406656 (123444K bytes)
Preloaded elf kernel "kernel" at 0xc03f7000.
Preloaded elf module "splash_bmp.ko" at 0xc03f709c.
Preloaded splash_image_data "/boot/splash.bmp" at 0xc03f7140.
Pentium Pro MTRR support enabled
splash_bmp: No appropriate video mode found
module_register_init: module_register(splash_bmp, c0332694, 0) error 19
Probing for devices on PCI bus 0:
chip0: <Intel 82443BX host to PCI bridge (AGP disabled)> rev 0x02 on pci0.0.0
vga0: <NeoMagic NM2160 laptop SVGA controller> rev 0x00 int a irq 11 on pci0.2.0
pcic0: <TI PCI-1131 PCI-CardBus Bridge> rev 0x01 int a irq 11 on pci0.3.0
pcic1: <TI PCI-1131 PCI-CardBus Bridge> rev 0x01 int b irq 11 on pci0.3.1
chip1: <Intel 82371AB PCI to ISA bridge> rev 0x01 on pci0.7.0
ide_pci0: <Intel PIIX4 Bus-master IDE controller> rev 0x01 on pci0.7.1
chip2: <Intel 82371AB Power management controller> rev 0x01 on pci0.7.3
Probing for PnP devices:
Probing for devices on the ISA bus:
sc0 on isa
sc0: VGA color <16 virtual consoles, flags=0x0>
atkbdc0 at 0x60-0x6f on motherboard
atkbd0 irq 1 on isa
psm0 irq 12 on isa
psm0: model Generic PS/2 mouse, device ID 0
sio0 at 0x3f8-0x3ff irq 4 flags 0x10 on isa
sio0: type 16550A
sio1 at 0x2f8-0x2ff irq 3 on isa
sio1: type 16550A
fdc0 at 0x3f0-0x3f7 irq 6 drq 2 on isa
fdc0: FIFO enabled, 8 bytes threshold
fd0: 1.44MB 3.5in
wdc0 at 0x1f0-0x1f7 irq 14 on isa
wdc0: unit 0 (wd0): <IBM-DTCA-24090>
wd0: 3909MB (8007552 sectors), 7944 cyls, 16 heads, 63 S/T, 512 B/S
wdc1 not found at 0x170
wt0 not found at 0x300
mcd0 not found at 0x300
matcdc0 not found at 0x230
scd0 not found at 0x230
ppc0 at 0x378 irq 7 flags 0x40 on isa
ppc0: SMC-like chipset (ECP/EPP/PS2/NIBBLE) in COMPATIBLE mode
ppc0: FIFO with 16/16/8 bytes threshold
lpt0: <generic printer> on ppbus 0
lpt0: Interrupt-driven port
ppi0: <generic parallel i/o> on ppbus 0
plip0: <PLIP network interface> on ppbus 0
xe0: probe
xe0 not found
adv0 not found at 0x330
bt0 not found at 0x134
aha0 not found at 0x134
vga0 at 0x3b0-0x3df maddr 0xa0000 msize 131072 on isa
npx0 on motherboard
npx0: INT 16 interface
PC-Card VLSI 82C146 (5 mem & 2 I/O windows)
pcic: controller irq 5
Initializing PC-card drivers: sio xe
IP Filter: initialized. Default = pass all, Logging = enabled
changing root device to wd0s2a
Card inserted, slot 1
xe: Probing for unit 0
xe0: attach
xe0: Xircom CEM56, bonding version 0x55, 100Mbps capable, with modem
xe0: DingoID = 0x444b, RevisionID = 0, VendorID = 0
xe0: Ethernet address 00:10:a4:f1:b2:ea
xe0: hard_reset
xe0: setmedia
xe0: disable_intr
xe0: init
xe0: setmedia
xe0: disable_intr
xe0: soft_reset
xe0: silicon revision = 5
xe0: disable_intr
xe0: MII registers: 0:3400 1:7809 4:01e1 5:0000 6:0000
xe0: setmedia
xe0: disable_intr
xe0: init
xe0: enable_intr
xe0: init
xe0: enable_intr
xe0: init
xe0: enable_intr
xe0: media_status
xe0: media_status
[-- Attachment #3 --]
# MYIP is changed dynamically after I get my DHCP address
#
block in log quick from any to any with ipopts
block in log quick proto tcp from any to any with short
#
# Head of trees
#
pass out on xe0 all head 150
pass in on xe0 all head 100
#
# Anti spoofing
#
block in log quick on xe0 from 192.168.0.0/16 to any group 100
block in log quick on xe0 from 172.16.0.0/12 to any group 100
block in log quick on xe0 from 10.0.0.0/8 to any group 100
block in log quick on xe0 from 127.0.0.0/8 to any group 100
block in log quick on xe0 from MYIP/32 to any group 100
#
# Allow only on the box to do anything
#
pass out quick on xe0 proto tcp/udp from MYIP/32 to any keep state group 150
pass out quick on xe0 proto icmp from MYIP/32 to any keep state group 150
#
# Allow anyone ssh, and icmp, and hades to udp to us
#
pass in quick on xe0 proto udp from ANOTHERHOST/32 to MYIP/32 group 100
pass in quick on xe0 proto tcp from any to MYIP/32 port = 22 flags S/SA keep frags group 100
pass in quick on xe0 proto icmp from any to MYIP/32 group 100
#
# Instead of dropping crap directed at us, pretend there is nothing there :-)
#
block return-rst in log quick on xe0 proto tcp from any to MYIP/32 group 100
block return-icmp(port-unr) in log quick on xe0 proto udp from any to MYIP/32 group 100
#
# Block all the rest
#
block in quick on xe0 all group 100
block out log quick on xe0 all group 150
[-- Attachment #4 --]
#
# LAPTOP -- Generic machine with WD/AHx/NCR/BTx family disks
#
# For more information on this file, please read the handbook section on
# Kernel Configuration Files:
#
# http://www.freebsd.org/handbook/kernelconfig-config.html
#
# The handbook is also available locally in /usr/share/doc/handbook
# if you've installed the doc distribution, otherwise always see the
# FreeBSD World Wide Web server (http://www.FreeBSD.ORG/) for the
# latest information.
#
# An exhaustive list of options and more detailed explanations of the
# device lines is also present in the ./LINT configuration file. If you are
# in doubt as to the purpose or necessity of a line, check first in LINT.
#
# $FreeBSD: src/sys/i386/conf/LAPTOP,v 1.143.2.19 1999/08/29 16:05:18 peter Exp $
machine "i386"
#cpu "I386_CPU"
#cpu "I486_CPU"
#cpu "I586_CPU"
cpu "I686_CPU"
ident LAPTOP
maxusers 32
#options MATH_EMULATE #Support for x87 emulation
options INET #InterNETworking
options FFS #Berkeley Fast Filesystem
options FFS_ROOT #FFS usable as root device [keep this!]
options MFS #Memory Filesystem
options MFS_ROOT #MFS usable as root device, "MFS" req'ed
options NFS #Network Filesystem
options NFS_ROOT #NFS usable as root device, "NFS" req'ed
options MSDOSFS #MSDOS Filesystem
options "CD9660" #ISO 9660 Filesystem
options "CD9660_ROOT" #CD-ROM usable as root. "CD9660" req'ed
options PROCFS #Process filesystem
options "COMPAT_43" #Compatible with BSD 4.3 [KEEP THIS!]
options SCSI_DELAY=15000 #Be pessimistic about Joe SCSI device
options UCONSOLE #Allow users to grab the console
options FAILSAFE #Be conservative
options USERCONFIG #boot -c editor
options VISUAL_USERCONFIG #visual boot -c editor
config kernel root on wd0
# To make an SMP kernel, the next two are needed
#options SMP # Symmetric MultiProcessor Kernel
#options APIC_IO # Symmetric (APIC) I/O
# Optionally these may need tweaked, (defaults shown):
#options NCPU=2 # number of CPUs
#options NBUS=4 # number of busses
#options NAPIC=1 # number of IO APICs
#options NINTR=24 # number of INTs
controller isa0
controller pnp0
controller eisa0
controller pci0
controller fdc0 at isa? port "IO_FD1" bio irq 6 drq 2
disk fd0 at fdc0 drive 0
disk fd1 at fdc0 drive 1
options "CMD640" # work around CMD640 chip deficiency
controller wdc0 at isa? port "IO_WD1" bio irq 14
disk wd0 at wdc0 drive 0
disk wd1 at wdc0 drive 1
controller wdc1 at isa? port "IO_WD2" bio irq 15
disk wd2 at wdc1 drive 0
disk wd3 at wdc1 drive 1
options ATAPI #Enable ATAPI support for IDE bus
options ATAPI_STATIC #Don't do it as an LKM
device acd0 #IDE CD-ROM
device wfd0 #IDE Floppy (e.g. LS-120)
# A single entry for any of these controllers (ncr, ahb, ahc) is
# sufficient for any number of installed devices.
controller ncr0
controller ahb0
controller ahc0
controller isp0
# This controller offers a number of configuration options, too many to
# document here - see the LINT file in this directory and look up the
# dpt0 entry there for much fuller documentation on this.
controller dpt0
controller adv0 at isa? port ? cam irq ?
controller adw0
controller bt0 at isa? port ? cam irq ?
controller aha0 at isa? port ? cam irq ?
controller scbus0
device da0
device sa0
device pass0
device cd0 #Only need one of these, the code dynamically grows
device wt0 at isa? port 0x300 bio irq 5 drq 1
device mcd0 at isa? port 0x300 bio irq 10
controller matcd0 at isa? port 0x230 bio
device scd0 at isa? port 0x230 bio
# atkbdc0 controlls both the keyboard and the PS/2 mouse
controller atkbdc0 at isa? port IO_KBD tty
device atkbd0 at isa? tty irq 1
device psm0 at isa? tty irq 12
device vga0 at isa? port ? conflicts
# splash screen/screen saver
pseudo-device splash
# syscons is the default console driver, resembling an SCO console
device sc0 at isa? tty
# Enable this and PCVT_FREEBSD for pcvt vt220 compatible console driver
#device vt0 at isa? tty
#options XSERVER # support for X server
#options FAT_CURSOR # start with block cursor
# If you have a ThinkPAD, uncomment this along with the rest of the PCVT lines
#options PCVT_SCANSET=2 # IBM keyboards are non-std
device npx0 at isa? port IO_NPX irq 13
#
# Laptop support (see LINT for more options)
#
device apm0 at isa? disable flags 0x31 # Advanced Power Management
# PCCARD (PCMCIA) support
controller card0
device pcic0 at card?
device pcic1 at card?
device sio0 at isa? port "IO_COM1" flags 0x10 tty irq 4
device sio1 at isa? port "IO_COM2" tty irq 3
device sio2 at isa? disable port "IO_COM3" tty irq 5
device sio3 at isa? disable port "IO_COM4" tty irq 9
# Parallel port
device ppc0 at isa? port? flags 0x40 net irq 7
controller ppbus0
device lpt0 at ppbus?
device plip0 at ppbus?
device ppi0 at ppbus?
#controller vpo0 at ppbus?
#
# The following Ethernet NICs are all PCI devices.
#
#device al0 # ADMtek AL981 (``Comet'')
#device ax0 # ASIX AX88140A
#device de0 # DEC/Intel DC21x4x (``Tulip'')
#device fxp0 # Intel EtherExpress PRO/100B (82557, 82558)
#device mx0 # Macronix 98713/98715/98725 (``PMAC'')
#device pn0 # Lite-On 82c168/82c169 (``PNIC'')
#device rl0 # RealTek 8129/8139
#device sf0 # Adaptec AIC-6915 DuraLAN (``Starfire'')
#device tl0 # Texas Instruments ThunderLAN
#device tx0 # SMC 9432TX (83c170 ``EPIC'')
#device vr0 # VIA Rhine, Rhine II
#device vx0 # 3Com 3c590, 3c595 (``Vortex'')
#device wb0 # Winbond W89C840F
#device xl0 # 3Com 3c90x (``Boomerang'', ``Cyclone'')
# Order is important here due to intrusive probes, do *not* alphabetize
# this list of network interfaces until the probes have been fixed.
# Right now it appears that the ie0 must be probed before ep0. See
# revision 1.20 of this file.
#device ed0 at isa? port 0x280 net irq 10 iomem 0xd8000
#device ie0 at isa? port 0x300 net irq 10 iomem 0xd0000
#device ep0 at isa? port 0x300 net irq 10
#device ex0 at isa? port? net irq?
#device fe0 at isa? port 0x300 net irq ?
#device le0 at isa? port 0x300 net irq 5 iomem 0xd0000
#device lnc0 at isa? port 0x280 net irq 10 drq 0
device xe0 at isa? port? net irq ?
#device ze0 at isa? port 0x300 net irq 10 iomem 0xd8000
#device zp0 at isa? port 0x300 net irq 10 iomem 0xd8000
#device cs0 at isa? port 0x300 net irq ?
pseudo-device loop
pseudo-device ether
pseudo-device sl 1
pseudo-device ppp 1
pseudo-device tun 1
pseudo-device pty 16
pseudo-device gzip # Exec gzipped a.out's
# KTRACE enables the system-call tracing facility ktrace(2).
# This adds 4 KB bloat to your kernel, and slightly increases
# the costs of each syscall.
options KTRACE #kernel tracing
# This provides support for System V shared memory and message queues.
#
options SYSVSHM
options SYSVMSG
options SYSVSEM
# The `bpfilter' pseudo-device enables the Berkeley Packet Filter. Be
# aware of the legal and administrative consequences of enabling this
# option. The number of devices determines the maximum number of
# simultaneous BPF clients programs runnable.
pseudo-device bpfilter 4 #Berkeley packet filter
#options IPFIREWALL #firewall
#options IPFIREWALL_VERBOSE #print information about
# dropped packets
#options "IPFIREWALL_VERBOSE_LIMIT=100" #limit verbosity
options IPFILTER
options IPFILTER_LOG
help
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?F232EAD3304FD211BD3C00A0C99AFA9F02B0ECC6>