Date: Mon, 2 May 2005 09:13:22 -0400 From: <bob@a1poweruser.com> To: "Chris Knipe" <savage@savage.za.org>, <freebsd-questions@lists.freebsd.org> Subject: RE: ipf out rule Message-ID: <MIEPLLIBMLEEABPDBIEGCEODHDAA.bob@a1poweruser.com> In-Reply-To: <000701c54f00$6a9c9c50$0a01a8c0@ops.cenergynetworks.com>
next in thread | previous in thread | raw e-mail | index | archive | help
First of all what I see in your log is just normal hacker traffic probing for access to your box. Your firewall is doing it's job denying this bogus traffic. I get over 1500 of these daily. I run the "abuse reporting system" to report this junk to the owners of the ip address range. You can download copy of the "abuse reporting system" scripts from http://www.unixguide.net/freebsd/fbsd_installguide/index.php now about your rule set. 1. the Lo0 rules is just to allow your PC to talk to itself, so 'keep state' option is wasted over head. Remove "keep state" from those 2 rules. 2. this rule "block in log quick all with frag" is dropping all frags so the "keep frag" option on all the rules is useless so remove it from all rules. 3. Your problem about ftp is not described enough in detail to debug. Not working how? Can you access public ftp sites from the firewall box and or from LAN pc's? Are you running a FTP server and remote users can not access your ftp server? If so is FTP server on firewall box or on LAN pc? Add log option to your ftp rules and read log to view ftp packet traffic to debug Are you running NAT for LAN users, if so post NAT rules 4. You are allowing out all services originating from behind your firewall. This is a very unsecure practice. Your LAN PC's or the firewall box it self could have a Trojan or spyware and you will never know it. Change the rules to only allow out the services you expect to be using like shown in the official handbook firewall section. -----Original Message----- From: owner-freebsd-questions@freebsd.org [mailto:owner-freebsd-questions@freebsd.org]On Behalf Of Chris Knipe Sent: Monday, May 02, 2005 6:19 AM To: freebsd-questions@lists.freebsd.org Subject: Re: ipf out rule Ok, that is fair enough. I did manage to get it up and running without locking myself out though *yay* I am having 2 issues mainly. FTP doesn't work at all (PASV or not), and I am getting allot of false drops on packets which *should* be allowed... Quick dump from the log file: May 2 12:11:03 pyro ipmon[8689]: 12:11:02.335403 rl0 @0:62 b y.y.195.133,1201 -> x.x.x.123,3128 PR tcp len 20 40 -AF IN May 2 12:11:05 pyro ipmon[8689]: 12:11:04.760397 rl0 @0:62 b y.y.195.133,1201 -> x.x.x.123,3128 PR tcp len 20 40 -AF IN May 2 12:11:10 pyro ipmon[8689]: 12:11:09.787481 rl0 @0:62 b y.y195.133,1201 -> x.x.x.123,3128 PR tcp len 20 40 -AF IN May 2 12:11:20 pyro ipmon[8689]: 12:11:19.744860 rl0 @0:62 b y.y.195.133,1201 -> x.x.x.123,3128 PR tcp len 20 40 -AF IN May 2 12:11:40 pyro ipmon[8689]: 12:11:39.760718 rl0 @0:62 b y.y.195.133,1201 -> x.x.x.123,3128 PR tcp len 20 40 -AF IN /etc/ipf.rules: # lo0 - Loopback pass in quick on lo0 all keep state pass out quick on lo0 all keep state # Bad Packet Murder block in log quick all with ipopts block in log quick all with short block in log quick all with frag block return-rst in log quick proto tcp all flags FUP block return-rst in log quick proto tcp all flags FSRPAU ################################################################# # Outside Interfaces ################################################################# # rl0 - Outgoing pass out quick on rl0 proto tcp from x.x.x.120/29 to any flags S keep state keep frags pass out quick on rl0 proto udp from x.x.x.120/29 to any keep state keep frags pass out quick on rl0 proto icmp from x.x.x.120/29 to any keep state keep frags block out log quick on rl0 all ################################################################# # Block and log all remaining traffic coming into the firewall # - Block TCP with a RST (to make it appear as if the service # isn't listening) # - Block UDP with an ICMP Port Unreachable (to make it appear # as if the service isn't listening) # - Block all remaining traffic the good 'ol fashioned way ################################################################# # rl0 - Global Incoming block in quick on rl0 from 0.0.0.0/7 to any block in quick on rl0 from 2.0.0.0/8 to any block in quick on rl0 from 5.0.0.0/8 to any block in quick on rl0 from 10.0.0.0/8 to any block in quick on rl0 from 23.0.0.0/8 to any block in quick on rl0 from 27.0.0.0/8 to any block in quick on rl0 from 31.0.0.0/8 to any block in quick on rl0 from 69.0.0.0/8 to any block in quick on rl0 from 70.0.0.0/7 to any block in quick on rl0 from 72.0.0.0/5 to any block in quick on rl0 from 82.0.0.0/7 to any block in quick on rl0 from 84.0.0.0/6 to any block in quick on rl0 from 88.0.0.0/5 to any block in quick on rl0 from 96.0.0.0/3 to any block in quick on rl0 from 127.0.0.0/8 to any block in quick on rl0 from 128.0.0.0/16 to any block in quick on rl0 from 128.66.0.0/16 to any block in quick on rl0 from 169.254.0.0/16 to any block in quick on rl0 from 172.16.0.0/12 to any block in quick on rl0 from 191.255.0.0/16 to any block in quick on rl0 from 192.0.0.0/19 to any block in quick on rl0 from 192.0.48.0/20 to any block in quick on rl0 from 192.0.64.0/18 to any block in quick on rl0 from 192.0.128.0/17 to any block in quick on rl0 from 192.168.0.0/16 to any block in quick on rl0 from 197.0.0.0/8 to any block in quick on rl0 from 201.0.0.0/8 to any block in quick on rl0 from 204.152.64.0/23 to any block in quick on rl0 from 219.0.0.0/8 to any block in quick on rl0 from 220.0.0.0/6 to any block in quick on rl0 from 224.0.0.0/3 to any # rl0 - ICMP, 0 = Echo Reply, 3 = Arb Unreachable, 11 = TTL pass in quick on rl0 proto icmp all icmp-type 0 pass in quick on rl0 proto icmp all icmp-type 3 pass in quick on rl0 proto icmp all icmp-type 11 # rl0 - x.x.x.122 FTP, FTP-DATA pass in quick on rl0 proto tcp from any to x.x.x.122 port = 21 flags S keep state pass in quick on rl0 proto tcp from any to x.x.x.122 port > 49151 flags S keep state pass out quick on rl0 proto tcp from x.x.x.122 port = 20 to any flags S keep state # rl0 - x.x.x.122 SSH pass in quick on rl0 proto tcp from any to x.x.x.122 port = 22 flags S keep state keep frags # rl0 - x.x.x.122 SMTP pass in quick on rl0 proto tcp from any to x.x.x.122 port = 25 flags S keep state keep frags # rl0 - x.x.x.122 DNS pass in quick on rl0 proto udp from any to x.x.x.122 port = 53 keep state keep frags pass in quick on rl0 proto tcp from any to x.x.x.122 port = 53 flags S keep state keep frags # rl0 - x.x.x.122 HTTP, HTTPS pass in quick on rl0 proto tcp from any to x.x.x.122 port = 80 flags S keep state keep frags pass in quick on rl0 proto tcp from any to x.x.x.122 port = 443 flags S keep state keep frags # rl0 - x.x.x.122 POP3 pass in quick on rl0 proto tcp from any to x.x.x.122 port = 110 flags S keep state keep frags # rl0 - x.x.x.122 NTP pass in quick on rl0 proto udp from a.a.a.a to x.x.x.122 port = 123 keep state keep frags pass in quick on rl0 proto udp from b.b.b.b to x.x.x.122 port = 123 keep state keep frags pass in quick on rl0 proto udp from c.c.c.c to x.x.x.122 port = 123 keep state keep frags # rl0 - x.x.x.122 MySQL pass in quick on rl0 proto tcp from x.x.x.120/29 to x.x.x.122 port = 3306 flags S keep state keep frags # rl0 - x.x.x.123 DNS pass in quick on rl0 proto udp from x.x.x.120/29 to x.x.x.123 port = 53 keep state keep frags # rl0 - x.x.x.123 Squid pass in quick on rl0 proto tcp from x.x.x.120/29 to x.x.x.123 port = 3128 flags S keep state keep frags pass in quick on rl0 proto tcp from y.y.0.0/16 to x.x.x.123 port = 3128 flags S keep state keep frags pass in quick on rl0 proto tcp from z.z.0.0/16 to x.x.x.123 port = 3128 flags S keep state keep frags pass in quick on rl0 proto tcp from x.x.x.120/29 to x.x.x.123 port = 3130 flags S keep state keep frags # rl0 - x.x.x.123 PMX pass in quick on rl0 proto tcp from x.x.x.122 to x.x.x.123 port = 10024 flags S keep state keep frags pass in quick on rl0 proto tcp from any to x.x.x.123 port = 18080 flags S keep state keep frags pass in quick on rl0 proto tcp from any to x.x.x.123 port = 28080 flags S keep state keep frags # Le Grande Finale block in log quick on rl0 all As always, looking forward to some help :) -- Chris. I love deadlines. I especially love the whooshing sound they make as they fly by..." - Douglas Adams, 'Hitchhiker's Guide to the Galaxy' ----- Original Message ----- From: <bob@a1poweruser.com> To: "Chris Knipe" <savage@savage.za.org>; <freebsd-questions@lists.freebsd.org> Sent: Monday, May 02, 2005 1:56 AM Subject: RE: ipf out rule > When asking for help with firewall rules you have to post complete > content of firewall rule set file because some previous rule may be > dropping all packets. If this is your complete rule set them you are > missing the mandatory L0 interface rule to pass quick all. rl0 must > be Nic connected to public internet. x.x.x.120/29 is ip address > range of pc's on private LAN behind firewall. This is not much of > firewall with everything being allowed out. You could replace all > of these meaning less statements with pass quick all from any to > any > > You really need to read firewall section of the official handbook. > It has working examples of ipf.rules rule set along with detailed > explanation of how to build firewall rules. > > -----Original Message----- > From: owner-freebsd-questions@freebsd.org > [mailto:owner-freebsd-questions@freebsd.org]On Behalf Of Chris Knipe > Sent: Sunday, May 01, 2005 6:56 PM > To: freebsd-questions@lists.freebsd.org > Subject: ipf out rule > > > Hi, > > Can anyone take a minute to just explain to me why ipf is blocking > this... > > ipf.rules: > # rl0 - Outgoing > pass out quick on rl0 proto tcp from x.x.x.120/29 to any flags S > keep state > keep frags > pass out quick on rl0 proto udp from x.x.x.120/29 to any keep state > keep > frags > pass out quick on rl0 proto icmp from x.x.x.120/29 to any keep state > keep > frags > block out log quick on rl0 all > > ipftest: > opening rule file "ipf.new" > in on rl0 tcp 196.25.1.1,2210 x.x.x.122,22 > input: in on rl0 tcp 196.25.1.1,2210 x.x.x.122,22 > pass ip 40(20) 6 196.25.1.1,2210 > x.x.x.122,22 > -------------- > out on rl0 tcp x.x.x.122,22 196.25.1.1,2210 > input: out on rl0 tcp x.x.x.122,22 196.25.1.1,2210 > block ip 40(20) 6 x.x.x.122,22 > 196.25.1.1,2210 > > Thanks. > > > -- > Chris. > > I love deadlines. I especially love the whooshing sound they make as > they > fly by..." - Douglas Adams, 'Hitchhiker's Guide to the Galaxy' > > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to > "freebsd-questions-unsubscribe@freebsd.org" > > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to > "freebsd-questions-unsubscribe@freebsd.org" > _______________________________________________ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?MIEPLLIBMLEEABPDBIEGCEODHDAA.bob>