From owner-freebsd-security Thu Nov 4 14:49:22 1999 Delivered-To: freebsd-security@freebsd.org Received: from hermes.la.csiro.au (hermes.la.csiro.au [152.83.12.2]) by hub.freebsd.org (Postfix) with ESMTP id BD4E8156E2 for ; Thu, 4 Nov 1999 14:48:49 -0800 (PST) (envelope-from Anthony.Wyatt@its.csiro.au) Received: by hermes.la.csiro.au with Internet Mail Service (5.5.2448.0) id ; Fri, 5 Nov 1999 09:43:10 +1100 Message-ID: From: "Wyatt, Anthony" To: "'freebsd-security@FreeBSD.ORG'" Subject: ipfilter too secure... Date: Fri, 5 Nov 1999 09:43:10 +1100 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2448.0) Content-Type: multipart/mixed; boundary="----_=_NextPart_000_01BF2715.F8653BE6" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------_=_NextPart_000_01BF2715.F8653BE6 Content-Type: text/plain; charset="iso-8859-1" Hi, I don't know where to post this, so this is where it's going :-) I think this is a bug (perhaps a user bug but a bug none the less). I installed ipfilter on a Solaris box the day before yesterday and got it up and running. I rebuilt my FreeBSD box yesterday (to 3.3-current ), but I can't get the stateful filtering to work properly. Of most annoyance, is the timeout of my ssh sessions to the FreeBSD box, even though I have made a full connection, 120 seconds is my limit. I did a ipfstat -s and the ttl starts at about 120 and the state never changes from 0/4. I use the exact same ruleset on the Solaris box and it does change the state from 0/4 to 4/4 and ttl to 5 days... I'll attach my kernel config, the ipfilter I'm using and my dmesg output at the bottom incase I've done something weird. If this isn't the place for this can you point me in the right direction. Thanks, Anthony <> <> <> ------_=_NextPart_000_01BF2715.F8653BE6 Content-Type: text/plain; name="dmesg.txt" Content-Disposition: attachment; filename="dmesg.txt" Copyright (c) 1992-1999 FreeBSD Inc. Copyright (c) 1982, 1986, 1989, 1991, 1993 The Regents of the University of California. All rights reserved. FreeBSD 3.3-STABLE #6: Fri Nov 5 08:00:07 EST 1999 root@hades-mi.cbr.its.csiro.au:/usr/src/sys/compile/LAPTOP Timecounter "i8254" frequency 1193182 Hz CPU: Pentium II/Xeon/Celeron (267.27-MHz 686-class CPU) Origin = "GenuineIntel" Id = 0x650 Stepping = 0 Features=0x183f9ff real memory = 134217728 (131072K bytes) avail memory = 126406656 (123444K bytes) Preloaded elf kernel "kernel" at 0xc03f7000. Preloaded elf module "splash_bmp.ko" at 0xc03f709c. Preloaded splash_image_data "/boot/splash.bmp" at 0xc03f7140. Pentium Pro MTRR support enabled splash_bmp: No appropriate video mode found module_register_init: module_register(splash_bmp, c0332694, 0) error 19 Probing for devices on PCI bus 0: chip0: rev 0x02 on pci0.0.0 vga0: rev 0x00 int a irq 11 on pci0.2.0 pcic0: rev 0x01 int a irq 11 on pci0.3.0 pcic1: rev 0x01 int b irq 11 on pci0.3.1 chip1: rev 0x01 on pci0.7.0 ide_pci0: rev 0x01 on pci0.7.1 chip2: rev 0x01 on pci0.7.3 Probing for PnP devices: Probing for devices on the ISA bus: sc0 on isa sc0: VGA color <16 virtual consoles, flags=0x0> atkbdc0 at 0x60-0x6f on motherboard atkbd0 irq 1 on isa psm0 irq 12 on isa psm0: model Generic PS/2 mouse, device ID 0 sio0 at 0x3f8-0x3ff irq 4 flags 0x10 on isa sio0: type 16550A sio1 at 0x2f8-0x2ff irq 3 on isa sio1: type 16550A fdc0 at 0x3f0-0x3f7 irq 6 drq 2 on isa fdc0: FIFO enabled, 8 bytes threshold fd0: 1.44MB 3.5in wdc0 at 0x1f0-0x1f7 irq 14 on isa wdc0: unit 0 (wd0): wd0: 3909MB (8007552 sectors), 7944 cyls, 16 heads, 63 S/T, 512 B/S wdc1 not found at 0x170 wt0 not found at 0x300 mcd0 not found at 0x300 matcdc0 not found at 0x230 scd0 not found at 0x230 ppc0 at 0x378 irq 7 flags 0x40 on isa ppc0: SMC-like chipset (ECP/EPP/PS2/NIBBLE) in COMPATIBLE mode ppc0: FIFO with 16/16/8 bytes threshold lpt0: on ppbus 0 lpt0: Interrupt-driven port ppi0: on ppbus 0 plip0: on ppbus 0 xe0: probe xe0 not found adv0 not found at 0x330 bt0 not found at 0x134 aha0 not found at 0x134 vga0 at 0x3b0-0x3df maddr 0xa0000 msize 131072 on isa npx0 on motherboard npx0: INT 16 interface PC-Card VLSI 82C146 (5 mem & 2 I/O windows) pcic: controller irq 5 Initializing PC-card drivers: sio xe IP Filter: initialized. Default = pass all, Logging = enabled changing root device to wd0s2a Card inserted, slot 1 xe: Probing for unit 0 xe0: attach xe0: Xircom CEM56, bonding version 0x55, 100Mbps capable, with modem xe0: DingoID = 0x444b, RevisionID = 0, VendorID = 0 xe0: Ethernet address 00:10:a4:f1:b2:ea xe0: hard_reset xe0: setmedia xe0: disable_intr xe0: init xe0: setmedia xe0: disable_intr xe0: soft_reset xe0: silicon revision = 5 xe0: disable_intr xe0: MII registers: 0:3400 1:7809 4:01e1 5:0000 6:0000 xe0: setmedia xe0: disable_intr xe0: init xe0: enable_intr xe0: init xe0: enable_intr xe0: init xe0: enable_intr xe0: media_status xe0: media_status ------_=_NextPart_000_01BF2715.F8653BE6 Content-Type: text/plain; name="ipf.config.txt" Content-Disposition: attachment; filename="ipf.config.txt" # MYIP is changed dynamically after I get my DHCP address # block in log quick from any to any with ipopts block in log quick proto tcp from any to any with short # # Head of trees # pass out on xe0 all head 150 pass in on xe0 all head 100 # # Anti spoofing # block in log quick on xe0 from 192.168.0.0/16 to any group 100 block in log quick on xe0 from 172.16.0.0/12 to any group 100 block in log quick on xe0 from 10.0.0.0/8 to any group 100 block in log quick on xe0 from 127.0.0.0/8 to any group 100 block in log quick on xe0 from MYIP/32 to any group 100 # # Allow only on the box to do anything # pass out quick on xe0 proto tcp/udp from MYIP/32 to any keep state group 150 pass out quick on xe0 proto icmp from MYIP/32 to any keep state group 150 # # Allow anyone ssh, and icmp, and hades to udp to us # pass in quick on xe0 proto udp from ANOTHERHOST/32 to MYIP/32 group 100 pass in quick on xe0 proto tcp from any to MYIP/32 port = 22 flags S/SA keep frags group 100 pass in quick on xe0 proto icmp from any to MYIP/32 group 100 # # Instead of dropping crap directed at us, pretend there is nothing there :-) # block return-rst in log quick on xe0 proto tcp from any to MYIP/32 group 100 block return-icmp(port-unr) in log quick on xe0 proto udp from any to MYIP/32 group 100 # # Block all the rest # block in quick on xe0 all group 100 block out log quick on xe0 all group 150 ------_=_NextPart_000_01BF2715.F8653BE6 Content-Type: text/plain; name="kernel.txt" Content-Transfer-Encoding: quoted-printable Content-Disposition: attachment; filename="kernel.txt" # # LAPTOP -- Generic machine with WD/AHx/NCR/BTx family disks # # For more information on this file, please read the handbook section = on # Kernel Configuration Files: # # http://www.freebsd.org/handbook/kernelconfig-config.html # # The handbook is also available locally in /usr/share/doc/handbook # if you've installed the doc distribution, otherwise always see the # FreeBSD World Wide Web server (http://www.FreeBSD.ORG/) for the # latest information. # # An exhaustive list of options and more detailed explanations of the # device lines is also present in the ./LINT configuration file. If you = are # in doubt as to the purpose or necessity of a line, check first in = LINT. # # $FreeBSD: src/sys/i386/conf/LAPTOP,v 1.143.2.19 1999/08/29 16:05:18 = peter Exp $ machine "i386" #cpu "I386_CPU" #cpu "I486_CPU" #cpu "I586_CPU" cpu "I686_CPU" ident LAPTOP maxusers 32 #options MATH_EMULATE #Support for x87 emulation options INET #InterNETworking options FFS #Berkeley Fast Filesystem options FFS_ROOT #FFS usable as root device [keep this!] options MFS #Memory Filesystem options MFS_ROOT #MFS usable as root device, "MFS" req'ed options NFS #Network Filesystem options NFS_ROOT #NFS usable as root device, "NFS" req'ed options MSDOSFS #MSDOS Filesystem options "CD9660" #ISO 9660 Filesystem options "CD9660_ROOT" #CD-ROM usable as root. "CD9660" req'ed options PROCFS #Process filesystem options "COMPAT_43" #Compatible with BSD 4.3 [KEEP THIS!] options SCSI_DELAY=3D15000 #Be pessimistic about Joe SCSI device options UCONSOLE #Allow users to grab the console options FAILSAFE #Be conservative options USERCONFIG #boot -c editor options VISUAL_USERCONFIG #visual boot -c editor config kernel root on wd0 # To make an SMP kernel, the next two are needed #options SMP # Symmetric MultiProcessor Kernel #options APIC_IO # Symmetric (APIC) I/O # Optionally these may need tweaked, (defaults shown): #options NCPU=3D2 # number of CPUs #options NBUS=3D4 # number of busses #options NAPIC=3D1 # number of IO APICs #options NINTR=3D24 # number of INTs controller isa0 controller pnp0 controller eisa0 controller pci0 controller fdc0 at isa? port "IO_FD1" bio irq 6 drq 2 disk fd0 at fdc0 drive 0 disk fd1 at fdc0 drive 1 options "CMD640" # work around CMD640 chip deficiency controller wdc0 at isa? port "IO_WD1" bio irq 14 disk wd0 at wdc0 drive 0 disk wd1 at wdc0 drive 1 controller wdc1 at isa? port "IO_WD2" bio irq 15 disk wd2 at wdc1 drive 0 disk wd3 at wdc1 drive 1 options ATAPI #Enable ATAPI support for IDE bus options ATAPI_STATIC #Don't do it as an LKM device acd0 #IDE CD-ROM device wfd0 #IDE Floppy (e.g. LS-120) # A single entry for any of these controllers (ncr, ahb, ahc) is # sufficient for any number of installed devices. controller ncr0 controller ahb0 controller ahc0 controller isp0 # This controller offers a number of configuration options, too many to # document here - see the LINT file in this directory and look up the # dpt0 entry there for much fuller documentation on this. controller dpt0 controller adv0 at isa? port ? cam irq ? controller adw0 controller bt0 at isa? port ? cam irq ? controller aha0 at isa? port ? cam irq ? controller scbus0 device da0 device sa0 device pass0 device cd0 #Only need one of these, the code dynamically grows device wt0 at isa? port 0x300 bio irq 5 drq 1 device mcd0 at isa? port 0x300 bio irq 10 controller matcd0 at isa? port 0x230 bio device scd0 at isa? port 0x230 bio # atkbdc0 controlls both the keyboard and the PS/2 mouse controller atkbdc0 at isa? port IO_KBD tty device atkbd0 at isa? tty irq 1 device psm0 at isa? tty irq 12 device vga0 at isa? port ? conflicts # splash screen/screen saver pseudo-device splash # syscons is the default console driver, resembling an SCO console device sc0 at isa? tty # Enable this and PCVT_FREEBSD for pcvt vt220 compatible console driver #device vt0 at isa? tty #options XSERVER # support for X server #options FAT_CURSOR # start with block cursor # If you have a ThinkPAD, uncomment this along with the rest of the = PCVT lines #options PCVT_SCANSET=3D2 # IBM keyboards are non-std device npx0 at isa? port IO_NPX irq 13 # # Laptop support (see LINT for more options) # device apm0 at isa? disable flags 0x31 # Advanced Power Management # PCCARD (PCMCIA) support controller card0 device pcic0 at card? device pcic1 at card? device sio0 at isa? port "IO_COM1" flags 0x10 tty irq 4 device sio1 at isa? port "IO_COM2" tty irq 3 device sio2 at isa? disable port "IO_COM3" tty irq 5 device sio3 at isa? disable port "IO_COM4" tty irq 9 # Parallel port device ppc0 at isa? port? flags 0x40 net irq 7 controller ppbus0 device lpt0 at ppbus? device plip0 at ppbus? device ppi0 at ppbus? #controller vpo0 at ppbus? # # The following Ethernet NICs are all PCI devices. # #device al0 # ADMtek AL981 (``Comet'') #device ax0 # ASIX AX88140A #device de0 # DEC/Intel DC21x4x (``Tulip'') #device fxp0 # Intel EtherExpress PRO/100B (82557, 82558) #device mx0 # Macronix 98713/98715/98725 (``PMAC'') #device pn0 # Lite-On 82c168/82c169 (``PNIC'') #device rl0 # RealTek 8129/8139 #device sf0 # Adaptec AIC-6915 DuraLAN (``Starfire'') #device tl0 # Texas Instruments ThunderLAN #device tx0 # SMC 9432TX (83c170 ``EPIC'') #device vr0 # VIA Rhine, Rhine II #device vx0 # 3Com 3c590, 3c595 (``Vortex'') #device wb0 # Winbond W89C840F #device xl0 # 3Com 3c90x (``Boomerang'', ``Cyclone'') # Order is important here due to intrusive probes, do *not* alphabetize # this list of network interfaces until the probes have been fixed. # Right now it appears that the ie0 must be probed before ep0. See # revision 1.20 of this file. #device ed0 at isa? port 0x280 net irq 10 iomem 0xd8000 #device ie0 at isa? port 0x300 net irq 10 iomem 0xd0000 #device ep0 at isa? port 0x300 net irq 10 #device ex0 at isa? port? net irq? #device fe0 at isa? port 0x300 net irq ? #device le0 at isa? port 0x300 net irq 5 iomem 0xd0000 #device lnc0 at isa? port 0x280 net irq 10 drq 0 device xe0 at isa? port? net irq ? #device ze0 at isa? port 0x300 net irq 10 iomem 0xd8000 #device zp0 at isa? port 0x300 net irq 10 iomem 0xd8000 #device cs0 at isa? port 0x300 net irq ? pseudo-device loop pseudo-device ether pseudo-device sl 1 pseudo-device ppp 1 pseudo-device tun 1 pseudo-device pty 16 pseudo-device gzip # Exec gzipped a.out's # KTRACE enables the system-call tracing facility ktrace(2). # This adds 4 KB bloat to your kernel, and slightly increases # the costs of each syscall. options KTRACE #kernel tracing # This provides support for System V shared memory and message queues. # options SYSVSHM options SYSVMSG options SYSVSEM # The `bpfilter' pseudo-device enables the Berkeley Packet Filter. Be # aware of the legal and administrative consequences of enabling this # option. The number of devices determines the maximum number of # simultaneous BPF clients programs runnable. pseudo-device bpfilter 4 #Berkeley packet filter #options IPFIREWALL #firewall #options IPFIREWALL_VERBOSE #print information about # dropped packets #options "IPFIREWALL_VERBOSE_LIMIT=3D100" #limit verbosity options IPFILTER options IPFILTER_LOG ------_=_NextPart_000_01BF2715.F8653BE6-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message