From owner-freebsd-security@FreeBSD.ORG Wed Oct 26 17:01:21 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D16B816A41F for ; Wed, 26 Oct 2005 17:01:21 +0000 (GMT) (envelope-from jjfitzgerald@gmail.com) Received: from wproxy.gmail.com (wproxy.gmail.com [64.233.184.204]) by mx1.FreeBSD.org (Postfix) with ESMTP id 47B2043D46 for ; Wed, 26 Oct 2005 17:01:21 +0000 (GMT) (envelope-from jjfitzgerald@gmail.com) Received: by wproxy.gmail.com with SMTP id 71so77743wra for ; Wed, 26 Oct 2005 10:01:20 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:references; b=XgHNOS/LhplRYd6qfHndyCR5Jjh38YslknDoRiRfp/FlsijvRJzelCMV6b70VXOYeR3Y9N0H66xmZZPfBHwAoX86sNftgpSzY7Xtq0bWDOe69ZPcu4vwSqlnqC7gq/44OdTF316PirvbWZP2XzI8BmJPMCv1lZXgpBMsVM9okSI= Received: by 10.54.40.60 with SMTP id n60mr516095wrn; Wed, 26 Oct 2005 10:01:20 -0700 (PDT) Received: by 10.54.101.14 with HTTP; Wed, 26 Oct 2005 10:01:20 -0700 (PDT) Message-ID: <5e49673f0510261001o10ccb473m6c363d651fa78a6c@mail.gmail.com> Date: Wed, 26 Oct 2005 13:01:20 -0400 From: John Fitzgerald To: "ray@redshift.com" In-Reply-To: <3.0.1.32.20051026094825.00d41100@pop.redshift.com> MIME-Version: 1.0 References: <3.0.1.32.20051026094825.00d41100@pop.redshift.com> Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freebsd-security@freebsd.org Subject: Re: ipf stopped working on 5.3 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 26 Oct 2005 17:01:21 -0000 Hi Ray, Here's a cleaned up version of ipf.rules: #-------------------------------------------------------------------------- # block nasty packets #-------------------------------------------------------------------------- block in log quick all with short block in log quick all with opt lsrr block in log quick all with opt ssrr #-------------------------------------------------------------------------- # loopback packets left alone #-------------------------------------------------------------------------- pass in log quick on lo0 all pass out log quick on lo0 all #-------------------------------------------------------------------------- # 100 incoming bge0 # 150 outgoing bge0 #-------------------------------------------------------------------------- block in log on bge0 all head 10 block in log on bge0 all head 100 block out log on bge0 all head 150 #-------------------------------------------------------------------------- # allow all traffic to 80 and 443 #-------------------------------------------------------------------------- pass in log quick proto tcp from any to any port =3D 80 flags S/SA keep sta= te pass in log quick proto tcp from any to any port =3D 443 flags S/SA keep st= ate #-------------------------------------------------------------------------- # allow only traffic from known hosts to localhost:ssh #-------------------------------------------------------------------------- pass in log quick proto tcp from MY_FIRST_HOST to any port =3D 22 flags S/S= A keep state pass in log quick proto tcp from MY_SECOND_HOST to any port =3D 22 flags S/= SA keep state #-------------------------------------------------------------------------- # allow outgoing keystrokes and syslog to logger #-------------------------------------------------------------------------- pass out log quick proto udp from any to MY_LOGGER port =3D 514 group 150 #-------------------------------------------------------------------------- # block all other outgoing traffic #-------------------------------------------------------------------------- block out log quick from any to any group 100 #-------------------------------------------------------------------------- # block all #-------------------------------------------------------------------------- block in log quick on bge0 all The group 10 is for my script to block ip's on the fly. I think someone fro= m the FreeBSD Diary wrote a script that I use when attacks come in. I suppose I could use 100 for that, but I just used 10 to separate and I think that's what the example used. Probably not the best ipf.rules but it (seemed) to work. JJ On 10/26/05, ray@redshift.com wrote: > > At 01:32 PM 10/25/2005 -0400, John Fitzgerald wrote: > | I've had ipf working on a few 5.3 servers for quite awhile. Not too lon= g > ago > | some developers had to do some coding work and were coming from dynamic > | IP's. I (reluctantly) opened up SSH to the world. Immediately I started > | seeing the attacks where bots of some sort would try to break in with a > | variety of different users. > | > | So, I (thought) I closed it up again and told the developers to use a > | dedicated proxy. They did, but I realized that I hadn't actually closed > | things off. I was still getting attacked. I had tried, but ipf suddenly > | wasn't working. Whenever I would change the firewall rules and ipf -D > and > | the ipf -E -f /etc/my.rules it would simply return: > | > | 1:ioctl(add/insert rule): No such process > | > | I didn't have the time to look into it at the time, but am now trying t= o > | figure it out. Ipf is obviously not working and I don't know why. I hav= e > | tried recompiling the kernel a myriad of different ways. With/without > ipfw, > | with/without ipsec, etc. All to no avail. Is this a bug, did I get > hacked? > | > | I have googled this quite a bit and the only thing that I found was > possibly > | a buildworld scenario where something got updated and it doesn't work > now. I > | didn't install src so I'm a bit out of luck on that one. > | > | FreeBSD 5.3-RELEASE > | OpenSSH_3.8.1p1 FreeBSD-20040419, OpenSSL 0.9.7d 17 Mar 2004 > | > > usually that means you are trying to run it without being root, or you > have a > rule that doesn't belong to a group/head. > > I ran into something else once that caused that, but now I can't remember > it. > Feel free to send your ipf.rules if it's not to sensitive. > > Ray > >