Site Navigation

Date:      Fri, 17 May 2002 10:51:31 +0300
From:      "Ivailo Tanusheff" <I.Tanusheff@procreditbank.com>
To:        "FreeBSD Security" <freebsd-security@FreeBSD.ORG>
Subject:   IPF Log Problem
Message-ID:  <00a301c1fd77$a886b2e0$cbf810ac@sof.procreditbank.bg>
In-Reply-To: <3CE49903.349E247A@dolaninformation.com>

---

next in thread | previous in thread | raw e-mail | index | archive | help

---

[-- Attachment #1 --]
Hi,

I'd set up a configuration as follows:

----<Internet>-----<Nat-ing modem>------<Firewall FreeBSD
Box>------<Privite network>
                       192.168.0.1          xl0 = 192.168.0.2  
                                            xl1 = 172.16.0.133


My ipf log confuses me with indicating some packets are blocked, but it
seems to me that they must be part of established connection, which keep
state statement is time out. But I'm not sure. Where may I read some
more information about logged tcp flags and can you help me fix my
configuration. 
On the FreeBSD box I'm running IPF, IPNat, Squid. 

My configuration is:

Ipf.rules:

# Default to block
#block  in      all

#Accounting rules
count   in      on xl0 from any to any
count   out     on xl0 from 172.16.248.132 to any
count   out     on xl0 from any to any

#Allow lo
pass    in      quick on lo0 all
pass    out     quick on lo0 all

#Block spoofed
#block  in      log quick on xl0 head 10
block   in      log quick on xl0 from 172.16.0.0/16 to any
block   in      log quick on xl0 from 127.0.0.0/8 to any

pass    in      quick on xl0 from any to 192.168.0.255

#Blocked ident
block return-rst in quick on xl0 proto tcp from any to any port = 113

#Allow icmp data
pass    in      quick on xl0 proto icmp from any to any icmp-type 0
pass    in      quick on xl0 proto icmp from any to any icmp-type 11
block   in      log quick on xl0 proto icmp from any to any
pass    out     quick on xl0 proto icmp from any to any keep state 

#Allow xl0 traffic
pass    in      quick on xl0 proto tcp from any to 192.168.0.2/32 port =
22 flags S keep state keep frags
block   in      log quick on xl0 all
pass   out     quick on xl0 proto tcp from any to any keep state keep
frags
pass    out     quick on xl0 proto udp from any to any keep state
block   out     log quick on xl0 all





Ipnat.rules:

rdr     xl1 0.0.0.0/0 port 80                   ->      192.168.0.2 port
3128 tcp/udp
map     xl0 172.16.0.0/16                       ->      192.168.0.2/32
proxy port ftp ftp/tcp
map     xl0 192.168.0.2/32                      ->      192.168.0.2/32
proxy port ftp ftp/tcp
map     xl0 172.16.0.0/16                       ->      192.168.0.2/32
portmap tcp/udp auto
map     xl0 172.16.0.0/16                       ->      0/32



Part of my log:

16/05/2002 18:03:51.444189 xl0 @0:10 b 216.239.51.101,80 ->
192.168.0.2,2468 PR tcp len 20 60 -AS IN 16/05/2002 18:03:56.566281 xl0
@0:10 b 152.163.226.185,80 -> 192.168.0.2,2472 PR tcp len 20 44 -AS IN
16/05/2002 18:04:14.414834 xl0 @0:10 b 216.239.51.101,80 ->
192.168.0.2,2483 PR tcp len 20 60 -AS IN 16/05/2002 18:04:36.201219 xl0
@0:10 b 152.163.226.185,80 -> 192.168.0.2,2472 PR tcp len 20 40 -AF IN
16/05/2002 18:04:36.790868 xl0 @0:10 b 152.163.226.185,80 ->
192.168.0.2,2472 PR tcp len 20 40 -AF IN 16/05/2002 18:04:37.043020 xl0
@0:10 b 205.188.250.25,80 -> 192.168.0.2,2268 PR tcp len 20 40 -AF IN
16/05/2002 18:04:37.428832 3x xl0 @0:10 b 152.163.226.185,80 ->
192.168.0.2,2472 PR tcp len 20 40 -AF IN 16/05/2002 18:04:39.388519 xl0
@0:10 b 152.163.226.185,80 -> 192.168.0.2,2472 PR tcp len 20 40 -AF IN
16/05/2002 18:04:41.322101 xl0 @0:10 b 205.188.250.25,80 ->
192.168.0.2,2268 PR tcp len 20 40 -AF IN 16/05/2002 18:04:50.282449 xl0
@0:10 b 205.188.250.25,80 -> 192.168.0.2,2268 PR tcp len 20 40 -AF IN
16/05/2002 18:04:57.175856 xl0 @0:10 b 152.163.226.185,80 ->
192.168.0.2,2472 PR tcp len 20 40 -AF IN 16/05/2002 18:05:03.340217 xl0
@0:10 b 208.215.236.71,80 -> 192.168.0.2,2547 PR tcp len 20 40 -A IN
16/05/2002 18:06:42.233714 xl0 @0:10 b 205.188.248.89,80 ->
192.168.0.2,2631 PR tcp len 20 52 -A IN 16/05/2002 18:12:52.891653 xl0
@0:10 b 216.136.226.107,80 -> 192.168.0.2,2914 PR tcp len 20 40 -A IN


su-2.05a# uname -a
FreeBSD gate 4.6-PRERELEASE FreeBSD 4.6-PRERELEASE #1: Fri May 10
13:46:09 EEST 2002     root@gate:/usr/obj/usr/src/sys/MYKERNEL  i386




Thanks in advantage,

Ivailo Tanusheff
System Administrator and Security Advisor
ProCredit Bank


[-- Attachment #2 --]
BEGIN:VCARD
VERSION:2.1
N:Tanusheff;Ivailo
FN:Ivailo Tanusheff
ORG:ProCredit Bank
TITLE:System administrator and Security advisor
TEL;WORK;VOICE:+359 2 9217161
EMAIL;PREF;INTERNET:I.Tanusheff@prokreditbank.com
REV:20020510T125145Z
END:VCARD

---

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?00a301c1fd77$a886b2e0$cbf810ac>

Legal Notices | © 1995-2025 The FreeBSD Project. All rights reserved.

Contact