Date: Mon, 16 Dec 2002 13:55:48 -0500 From: "Robin P. Blanchard" <robin.blanchard@georgiacenter.org> To: stable@freebsd.org Subject: ipfilter / ipnat quandry Message-ID: <1040064948.3dfe21b49d39a@www.gactr.uga.edu>
next in thread | raw e-mail | index | archive | help
-STABLE (FreeBSD 4.7-STABLE #0: Mon Nov 25 14:22:58 EST 2002) gateway/firewall running: # ipf -V ipf: IP Filter: v3.4.29 (336) Kernel: IP Filter: v3.4.29 Running: yes Log Flags: 0 = none set Default: pass all, Logging: available Active list: 0 The only external port I've allowed in is SSH, yet nmapping the box yields a slew of purportedly other open ports. Have I broken my ruleset somewhere? Please advise. # nmap -v -sS -O a.b.c.d Starting nmap V. 3.00 ( www.insecure.org/nmap/ ) Host name.of.host (a.b.c.d) appears to be up ... good. Initiating SYN Stealth Scan against name.of.host (a.b.c.d) Adding open port 22/tcp The SYN Stealth Scan took 34 seconds to scan 1601 ports. For OSScan assuming that port 22 is open and port 1 is closed and neither are firewalled Insufficient responses for TCP sequencing (3), OS detection may be less accurate For OSScan assuming that port 22 is open and port 1 is closed and neither are firewalled Insufficient responses for TCP sequencing (3), OS detection may be less accurate For OSScan assuming that port 22 is open and port 1 is closed and neither are firewalled Insufficient responses for TCP sequencing (3), OS detection may be less accurate Interesting ports on name.of.host(a.b.c.d): (The 1581 ports scanned but not shown below are in state: closed) Port State Service 22/tcp open ssh 137/tcp filtered netbios-ns 138/tcp filtered netbios-dgm 139/tcp filtered netbios-ssn 161/tcp filtered snmp 162/tcp filtered snmptrap 199/tcp filtered smux 391/tcp filtered synotics-relay 705/tcp filtered unknown 1234/tcp filtered hotline 1433/tcp filtered ms-sql-s 1900/tcp filtered UPnP 1993/tcp filtered snmp-tcp-port 5050/tcp filtered mmcc 6346/tcp filtered gnutella 6666/tcp filtered irc-serv 6667/tcp filtered irc 6668/tcp filtered irc 6699/tcp filtered napster 8888/tcp filtered sun-answerbook No OS matches for host (If you know what OS is running on it, see http://www.insecure.org/cgi-bin/nmap-submit.cgi). TCP/IP fingerprint: SInfo(V=3.00%P=i386-portbld-freebsd4.7%D=12/16%Time=3DFE1F4A%O=22%C=1) T1(Resp=Y%DF=Y%W=FFFF%ACK=S++%Flags=AS%Ops=MNWNNT) T1(Resp=Y%DF=Y%W=FFFF%ACK=O%Flags=AS%Ops=MNWNNT) T2(Resp=Y%DF=N%W=1000%ACK=S%Flags=AR%Ops=) T3(Resp=N) T4(Resp=Y%DF=N%W=1000%ACK=S%Flags=AR%Ops=) T5(Resp=Y%DF=N%W=0%ACK=S++%Flags=AR%Ops=) T6(Resp=Y%DF=N%W=1000%ACK=S%Flags=AR%Ops=) T7(Resp=Y%DF=N%W=1000%ACK=S++%Flags=AR%Ops=) PU(Resp=Y%DF=N%TOS=0%IPLEN=38%RIPTL=4801%RID=E%RIPCK=F%UCK=E%ULEN=134% DAT=E) Uptime 2.074 days (since Sat Dec 14 11:59:26 2002) IPID Sequence Generation: Randomized Nmap run completed -- 1 IP address (1 host up) scanned in 60 seconds /etc/ipf.rules: # tx0 == external # xl0 == internal # defaults count in all count out all block in log quick all with opt lsrr block in log quick all with opt ssrr block in log quick all with ipopts block in log quick proto tcp all with short block in log quick proto icmp all with frags block in on tx0 all # overrides pass in quick on tx0 proto udp from 172.26.100.6/32 port = 68 to 255.255.255.255 port = 67 pass in quick on tx0 proto udp from 66.188.79.136/32 port = 68 to 255.255.255.255 port = 67 pass out quick on tx0 proto udp from any port = 68 to 172.26.100.6/32 port = 67 pass out quick on tx0 proto udp from any port = 68 to 66.188.79.136/32 port = 67 block in quick on tx0 proto udp from 10.138.32.1/32 port = 67 to 255.255.255.255 port = 68 block in quick on tx0 from 192.168.100.1/32 to 224.0.0.1/32 # self-spoof, nonrouteables, multicast, net-zero, broadcast block in log quick on tx0 from a.b.c.d/32 to any block in log quick on tx0 from 0.0.0.0/32 to any block in log quick on tx0 from 10.0.0.0/8 to any block in log quick on tx0 from 127.0.0.0/8 to any block in log quick on tx0 from 172.16.0.0/12 to any block in log quick on tx0 from 192.0.2.0/24 to any block in log quick on tx0 from 192.168.0.0/16 to any block in log quick on tx0 from 204.152.64.0/23 to any block in log quick on tx0 from 224.0.0.0/3 to any block in log quick on tx0 from 255.255.255.255/32 to any block in log quick on tx0 from any to 0.0.0.0/32 block in log quick on tx0 from any to 10.0.0.0/8 block in log quick on tx0 from any to 127.0.0.0/8 block in log quick on tx0 from any to 172.16.0.0/12 block in log quick on tx0 from any to 192.0.2.0/24 block in log quick on tx0 from any to 192.168.0.0/16 block in log quick on tx0 from any to 204.152.64.0/23 block in log quick on tx0 from any to 224.0.0.0/3 block in log quick on tx0 from any to 255.255.255.255/32 block out quick on tx0 from 0.0.0.0/32 to any block out quick on tx0 from 10.0.0.0/8 to any block out quick on tx0 from 127.0.0.0/8 to any block out quick on tx0 from 172.16.0.0/12 to any block out quick on tx0 from 192.0.2.0/24 to any # shouldn't int. traffic be NATd by the time it gets to tx0 # testing seems to say no... #block out log quick on tx0 from 192.168.0.0/16 to any block out quick on tx0 from 204.152.64.0/23 to any block out quick on tx0 from 224.0.0.0/3 to any block out quick on tx0 from 255.255.255.255/32 to any block out quick on tx0 from any to 0.0.0.0/32 block out quick on tx0 from any to 10.0.0.0/8 block out quick on tx0 from any to 127.0.0.0/8 block out quick on tx0 from any to 172.16.0.0/12 block out quick on tx0 from any to 192.0.2.0/24 block out quick on tx0 from any to 192.168.0.0/16 block out quick on tx0 from any to 204.152.64.0/23 block out quick on tx0 from any to 224.0.0.0/3 block out quick on tx0 from any to 255.255.255.255/32 # icmp incoming pass in quick on tx0 proto icmp all icmp-type 0 #pass in quick on tx0 proto icmp all icmp-type 3 pass in quick on tx0 proto icmp all icmp-type 8 pass in quick on tx0 proto icmp all icmp-type 11 block return-icmp(3) in log quick on tx0 proto icmp all # tcp / udp incoming: default deny unless matched below pass in quick on tx0 proto tcp from any to any port = 22 flags S keep state keep frags pass in quick on tx0 proto udp from 205.152.0.20 port = 53 to any keep state pass in quick on tx0 proto udp from 205.152.16.20 port = 53 to any keep state pass in quick on tx0 proto udp from 205.152.32.20 port = 53 to any keep state pass in quick on tx0 proto udp from 205.152.0.5 port = 53 to any keep state pass in quick on tx0 proto udp from 66.188.79.136 port = 53 to any keep state pass in quick on tx0 proto udp from 209.186.12.3 port = 53 to any keep state pass in quick on tx0 proto udp from 209.186.12.30 port = 53 to any keep state block in quick on tx0 proto tcp/udp from any to any port = 137 block in quick on tx0 proto tcp/udp from any to any port = 138 block in quick on tx0 proto tcp/udp from any to any port = 139 block in log quick on tx0 proto tcp from any to any flags FUP block in log quick on tx0 proto tcp from any to any flags SF/SFRA block in log quick on tx0 proto tcp from any to any flags /SFRA block return-icmp(3) in log quick on tx0 proto udp all block return-rst in log quick on tx0 proto tcp all flags S block in log quick on tx0 all # outbound on tx0 # block outgoing netbios block out quick on tx0 proto tcp/udp from any to any port = 137 block out quick on tx0 proto tcp/udp from any to any port = 138 block out quick on tx0 proto tcp/udp from any to any port = 139 block out quick on tx0 proto tcp/udp from any port = 137 to any block out quick on tx0 proto tcp/udp from any port = 138 to any block out quick on tx0 proto tcp/udp from any port = 139 to any # everything else pass pass out quick on tx0 proto tcp all flags S keep state keep frags pass out quick on tx0 proto udp all keep state keep frags pass out quick on tx0 proto icmp all keep state keep frags pass out quick on tx0 all # intranet pass in quick on lo0 all pass out quick on lo0 all pass in quick on xl0 all pass out quick on xl0 all /etc/ipnat.rules: map tx0 0/0 -> 0/32 proxy port ftp ftp/tcp map tx0 192.168.1.0/24 -> 0/32 proxy port ftp ftp/tcp map tx0 192.168.1.0/24 -> 0/32 proxy port 500 ipsec/udp map tx0 192.168.1.0/24 -> 0/32 proxy port 554 raudio/tcp map tx0 192.168.1.0/24 -> 0/32 proxy port 1720 h323/tcp map tx0 192.168.1.0/24 -> 0/32 proxy port 7070 raudio/tcp map tx0 192.168.1.0/24 -> 0/32 portmap tcp/udp 40000:65000 map tx0 192.168.1.0/24 -> 0/32 rdr xl0 0/0 port 80 -> 127.0.0.1 port 3128 tcp -- ---------------------------------------- Robin P. Blanchard Systems Integration Specialist Georgia Center for Continuing Education fon: 706.542.2404 <|> fax: 706.542.6546 ---------------------------------------- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1040064948.3dfe21b49d39a>