Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 2 May 2005 09:13:22 -0400
From:      <bob@a1poweruser.com>
To:        "Chris Knipe" <savage@savage.za.org>, <freebsd-questions@lists.freebsd.org>
Subject:   RE: ipf out rule
Message-ID:  <MIEPLLIBMLEEABPDBIEGCEODHDAA.bob@a1poweruser.com>
In-Reply-To: <000701c54f00$6a9c9c50$0a01a8c0@ops.cenergynetworks.com>

next in thread | previous in thread | raw e-mail | index | archive | help
First of all what I see in your log is just normal hacker traffic
probing for access to your box. Your firewall is doing it's job
denying this bogus traffic. I get over 1500 of these daily. I run
the "abuse reporting system"  to report this junk to the owners of
the ip address range. You can download copy of the "abuse reporting
system" scripts from
http://www.unixguide.net/freebsd/fbsd_installguide/index.php


now about your rule set.

1. the Lo0 rules is just to allow your PC to talk to itself, so
'keep state' option is wasted over head.  Remove "keep state" from
those 2 rules.

2. this rule "block in log quick all with frag" is dropping all
frags so the "keep frag" option on all the rules is useless so
remove it from all rules.

3. Your problem about ftp is not described enough in detail to
debug. Not working how?
Can you access public ftp sites from the firewall box and or from
LAN pc's?
Are you running a FTP server and remote users can not access your
ftp server?
If so is FTP server on firewall box or on LAN pc?
Add log option to your ftp rules and read log to view ftp packet
traffic to debug
Are you running NAT for LAN users, if so post NAT rules

4. You are allowing out all services originating from behind your
firewall. This is a very unsecure practice. Your LAN PC's or the
firewall box it self could have a Trojan or spyware and you will
never know it. Change the rules to only allow out the services you
expect to be using like shown in the official handbook firewall
section.








-----Original Message-----
From: owner-freebsd-questions@freebsd.org
[mailto:owner-freebsd-questions@freebsd.org]On Behalf Of Chris Knipe
Sent: Monday, May 02, 2005 6:19 AM
To: freebsd-questions@lists.freebsd.org
Subject: Re: ipf out rule


Ok, that is fair enough.

I did manage to get it up and running without locking myself out
though
*yay*

I am having 2 issues mainly.

FTP doesn't work at all (PASV or not), and I am getting allot of
false drops
on packets which *should* be allowed...

Quick dump from the log file:
May  2 12:11:03 pyro ipmon[8689]: 12:11:02.335403 rl0 @0:62 b
y.y.195.133,1201 -> x.x.x.123,3128 PR tcp len 20 40 -AF IN
May  2 12:11:05 pyro ipmon[8689]: 12:11:04.760397 rl0 @0:62 b
y.y.195.133,1201 -> x.x.x.123,3128 PR tcp len 20 40 -AF IN
May  2 12:11:10 pyro ipmon[8689]: 12:11:09.787481 rl0 @0:62 b
y.y195.133,1201 -> x.x.x.123,3128 PR tcp len 20 40 -AF IN
May  2 12:11:20 pyro ipmon[8689]: 12:11:19.744860 rl0 @0:62 b
y.y.195.133,1201 -> x.x.x.123,3128 PR tcp len 20 40 -AF IN
May  2 12:11:40 pyro ipmon[8689]: 12:11:39.760718 rl0 @0:62 b
y.y.195.133,1201 -> x.x.x.123,3128 PR tcp len 20 40 -AF IN

/etc/ipf.rules:
# lo0 - Loopback
pass in  quick on lo0 all keep state
pass out quick on lo0 all keep state

# Bad Packet Murder
block in log quick all with ipopts
block in log quick all with short
block in log quick all with frag
block return-rst in log quick proto tcp all flags FUP
block return-rst in log quick proto tcp all flags FSRPAU

#################################################################
# Outside Interfaces
#################################################################
# rl0 - Outgoing
pass out quick on rl0 proto tcp from x.x.x.120/29 to any flags S
keep state
keep frags
pass out quick on rl0 proto udp from x.x.x.120/29 to any keep state
keep
frags
pass out quick on rl0 proto icmp from x.x.x.120/29 to any keep state
keep
frags
block out log quick on rl0 all

#################################################################
# Block and log all remaining traffic coming into the firewall
# - Block  TCP with a RST (to make it appear as if the service
# isn't listening)
# - Block UDP with an ICMP Port Unreachable (to make it appear
# as if the service isn't listening)
# - Block all remaining  traffic the good 'ol fashioned way
#################################################################
# rl0 - Global Incoming
block in quick on rl0 from 0.0.0.0/7 to any
block in quick on rl0 from 2.0.0.0/8 to any
block in quick on rl0 from 5.0.0.0/8 to any
block in quick on rl0 from 10.0.0.0/8 to any
block in quick on rl0 from 23.0.0.0/8 to any
block in quick on rl0 from 27.0.0.0/8 to any
block in quick on rl0 from 31.0.0.0/8 to any
block in quick on rl0 from 69.0.0.0/8 to any
block in quick on rl0 from 70.0.0.0/7 to any
block in quick on rl0 from 72.0.0.0/5 to any
block in quick on rl0 from 82.0.0.0/7 to any
block in quick on rl0 from 84.0.0.0/6 to any
block in quick on rl0 from 88.0.0.0/5 to any
block in quick on rl0 from 96.0.0.0/3 to any
block in quick on rl0 from 127.0.0.0/8 to any
block in quick on rl0 from 128.0.0.0/16 to any
block in quick on rl0 from 128.66.0.0/16 to any
block in quick on rl0 from 169.254.0.0/16 to any
block in quick on rl0 from 172.16.0.0/12 to any
block in quick on rl0 from 191.255.0.0/16 to any
block in quick on rl0 from 192.0.0.0/19 to any
block in quick on rl0 from 192.0.48.0/20 to any
block in quick on rl0 from 192.0.64.0/18 to any
block in quick on rl0 from 192.0.128.0/17 to any
block in quick on rl0 from 192.168.0.0/16 to any
block in quick on rl0 from 197.0.0.0/8 to any
block in quick on rl0 from 201.0.0.0/8 to any
block in quick on rl0 from 204.152.64.0/23 to any
block in quick on rl0 from 219.0.0.0/8 to any
block in quick on rl0 from 220.0.0.0/6 to any
block in quick on rl0 from 224.0.0.0/3 to any

# rl0 - ICMP, 0 = Echo Reply, 3 = Arb Unreachable, 11 = TTL
pass in quick on rl0 proto icmp all icmp-type 0
pass in quick on rl0 proto icmp all icmp-type 3
pass in quick on rl0 proto icmp all icmp-type 11

# rl0 - x.x.x.122 FTP, FTP-DATA
pass in quick on rl0 proto tcp from any to x.x.x.122 port = 21 flags
S keep
state
pass in quick on rl0 proto tcp from any to x.x.x.122 port > 49151
flags S
keep state
pass out quick on rl0 proto tcp from x.x.x.122 port = 20 to any
flags S keep
state

# rl0 - x.x.x.122 SSH
pass in quick on rl0 proto tcp from any to x.x.x.122 port = 22 flags
S keep
state keep frags

# rl0 - x.x.x.122 SMTP
pass in quick on rl0 proto tcp from any to x.x.x.122 port = 25 flags
S keep
state keep frags

# rl0 - x.x.x.122 DNS
pass in quick on rl0 proto udp from any to x.x.x.122 port = 53 keep
state
keep frags
pass in quick on rl0 proto tcp from any to x.x.x.122 port = 53 flags
S keep
state keep frags

# rl0 - x.x.x.122 HTTP, HTTPS
pass in quick on rl0 proto tcp from any to x.x.x.122 port = 80 flags
S keep
state keep frags
pass in quick on rl0 proto tcp from any to x.x.x.122 port = 443
flags S keep
state keep frags

# rl0 - x.x.x.122 POP3
pass in quick on rl0 proto tcp from any to x.x.x.122 port = 110
flags S keep
state keep frags

# rl0 - x.x.x.122 NTP
pass in quick on rl0 proto udp from a.a.a.a to x.x.x.122 port = 123
keep
state keep frags
pass in quick on rl0 proto udp from b.b.b.b to x.x.x.122 port = 123
keep
state keep frags
pass in quick on rl0 proto udp from c.c.c.c to x.x.x.122 port = 123
keep
state keep frags

# rl0 - x.x.x.122 MySQL
pass in quick on rl0 proto tcp from x.x.x.120/29 to x.x.x.122 port =
3306
flags S keep state keep frags

# rl0 - x.x.x.123 DNS
pass in quick on rl0 proto udp from x.x.x.120/29 to x.x.x.123 port =
53 keep
state keep frags

# rl0 - x.x.x.123 Squid
pass in quick on rl0 proto tcp from x.x.x.120/29 to x.x.x.123 port =
3128
flags S keep state keep frags
pass in quick on rl0 proto tcp from y.y.0.0/16 to x.x.x.123 port =
3128
flags S keep state keep frags
pass in quick on rl0 proto tcp from z.z.0.0/16 to x.x.x.123 port =
3128
flags S keep state keep frags
pass in quick on rl0 proto tcp from x.x.x.120/29 to x.x.x.123 port =
3130
flags S keep state keep frags

# rl0 - x.x.x.123 PMX
pass in quick on rl0 proto tcp from x.x.x.122 to x.x.x.123 port =
10024
flags S keep state keep frags
pass in quick on rl0 proto tcp from any to x.x.x.123 port = 18080
flags S
keep state keep frags
pass in quick on rl0 proto tcp from any to x.x.x.123 port = 28080
flags S
keep state keep frags

# Le Grande Finale
block in log quick on rl0 all

As always, looking forward to some help :)

--
Chris.

I love deadlines. I especially love the whooshing sound they make as
they
fly by..." - Douglas Adams, 'Hitchhiker's Guide to the Galaxy'

----- Original Message -----
From: <bob@a1poweruser.com>
To: "Chris Knipe" <savage@savage.za.org>;
<freebsd-questions@lists.freebsd.org>
Sent: Monday, May 02, 2005 1:56 AM
Subject: RE: ipf out rule


> When asking for help with firewall rules you have to post complete
> content of firewall rule set file because some previous rule may
be
> dropping all packets. If this is your complete rule set them you
are
> missing the mandatory L0 interface rule to pass quick all.  rl0
must
> be Nic connected to public internet. x.x.x.120/29 is ip address
> range of pc's on private LAN behind firewall. This is not much of
> firewall with everything being allowed out.  You could replace all
> of these meaning less statements with   pass quick all from any to
> any
>
> You really need to read firewall section of the official handbook.
> It has working examples of ipf.rules rule set along with detailed
> explanation of how to build firewall rules.
>
> -----Original Message-----
> From: owner-freebsd-questions@freebsd.org
> [mailto:owner-freebsd-questions@freebsd.org]On Behalf Of Chris
Knipe
> Sent: Sunday, May 01, 2005 6:56 PM
> To: freebsd-questions@lists.freebsd.org
> Subject: ipf out rule
>
>
> Hi,
>
> Can anyone take a minute to just explain to me why ipf is blocking
> this...
>
> ipf.rules:
> # rl0 - Outgoing
> pass out quick on rl0 proto tcp from x.x.x.120/29 to any flags S
> keep state
> keep frags
> pass out quick on rl0 proto udp from x.x.x.120/29 to any keep
state
> keep
> frags
> pass out quick on rl0 proto icmp from x.x.x.120/29 to any keep
state
> keep
> frags
> block out log quick on rl0 all
>
> ipftest:
> opening rule file "ipf.new"
> in on rl0 tcp 196.25.1.1,2210 x.x.x.122,22
> input: in on rl0 tcp 196.25.1.1,2210 x.x.x.122,22
> pass ip 40(20) 6 196.25.1.1,2210 > x.x.x.122,22
> --------------
> out on rl0 tcp x.x.x.122,22 196.25.1.1,2210
> input: out on rl0 tcp x.x.x.122,22 196.25.1.1,2210
> block ip 40(20) 6 x.x.x.122,22 > 196.25.1.1,2210
>
> Thanks.
>
>
> --
> Chris.
>
> I love deadlines. I especially love the whooshing sound they make
as
> they
> fly by..." - Douglas Adams, 'Hitchhiker's Guide to the Galaxy'
>
> _______________________________________________
> freebsd-questions@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to
> "freebsd-questions-unsubscribe@freebsd.org"
>
> _______________________________________________
> freebsd-questions@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to
> "freebsd-questions-unsubscribe@freebsd.org"
>

_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to
"freebsd-questions-unsubscribe@freebsd.org"



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?MIEPLLIBMLEEABPDBIEGCEODHDAA.bob>