From owner-freebsd-questions@FreeBSD.ORG Wed Apr 26 07:58:39 2006 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0D37716A402 for ; Wed, 26 Apr 2006 07:58:39 +0000 (UTC) (envelope-from norgaard@locolomo.org) Received: from strange.daemonsecurity.com (59.Red-81-33-11.staticIP.rima-tde.net [81.33.11.59]) by mx1.FreeBSD.org (Postfix) with ESMTP id 58E4943D46 for ; Wed, 26 Apr 2006 07:58:38 +0000 (GMT) (envelope-from norgaard@locolomo.org) Received: from [172.24.8.84] (generic.ATOSORIGIN.ES [212.170.156.200]) by strange.daemonsecurity.com (Postfix) with ESMTP id A9A802E063; Wed, 26 Apr 2006 09:58:36 +0200 (CEST) Message-ID: <444F282B.8090304@locolomo.org> Date: Wed, 26 Apr 2006 09:58:35 +0200 From: Erik Norgaard User-Agent: Thunderbird 1.5 (X11/20060118) MIME-Version: 1.0 To: Bradford Fisher References: <53599B87179DE947A3F8E90550BA89296C14@amserver.AffidavitMaker.local> In-Reply-To: <53599B87179DE947A3F8E90550BA89296C14@amserver.AffidavitMaker.local> Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit Cc: freebsd-questions@freebsd.org Subject: Re: IP Filter X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 26 Apr 2006 07:58:39 -0000 Bradford Fisher wrote: > Currently, I have FreeBSD 6.0 p7 running with the GENERIC kernel. In > rc.conf, I have set the options: ipfilter_enable="YES", > ipfilter_rules="/etc/ipf.rules", ipmon_enable="YES", ipmon_flags="-Ds" . Looks ok, but you should be able to check that the rules are actually loaded. > > I then proceeded to configure /etc/ipf.rules as follows: > # IP Filter Rules File > # Block Garbage > block in log quick from any to any with ipopts > block in log quick proto tcp from any to any with short > > # System Loopback Interface > pass in quick on lo0 all > pass out quick on lo0 all > > # Outbound Traffic > pass out on vr0 all head 100 > block out from 127.0.0.0/8 to any group 100 > block out from any to 127.0.0.0/8 group 100 > block out from any to my.ip.address/32 group 100 > > # Inbound Traffic > block in on vr0 from any to any head 200 > block in from 127.0.0.0/8 to any group 200 > block in from 192.168.254.50/32 to any group 200 > pass in quick proto tcp from any to any port = www keep state group 200 > pass in quick proto tcp from any to any port = pop3 keep state group 200 > pass in quick proto tcp from any to any port = smtp keep state group 200 > pass in quick proto tcp from any to any port = 22 keep state group 200 > (have also added flags S/SA with no luck) > block return-rst in log proto tcp from any to any flags S/SA group 200 > block return-icmp(net-unr) in proto udp all group 200 Is this the _whole_ ruleset? 1st, when debugging: Add 'log' to all rules in particular block rules. 2nd, your rule for ssh should be: pass in quick proto tcp from any to any port = ssh flags S/SA \ keep state group 200 3rd, the rules block in from 127.0.0.0/8 to any group 200 block in from 192.168.254.50/32 to any group 200 Have no effect because there is no quick keyword: Packets will be blocked either by the head rule, or the last two in that group or passed by one of the pass rules. 4th, If you insert 'quick' in the head-rules, packets will be checked against the rules in that group and any subgroups. Otherwise the packet may go up the tree and be blocked by other rules. > As I do not have a webserver installed and configured at the time nor a > mailer daemon configured, I have not tested the www, pop3, or smtp rules > yet, but I do use SSH frequently and have found that with the above > ruleset enabled, I cannot get connected. The weird part is that when I > open the SSH client, I get a prompt for my username, but after sending > the username, my connection times out before receiving the second prompt > for my password (this does not happen when I have IP Filter disabled). > > I believe that the line "block in on vr0 from any to any head 200" is > the culprit responsible for my troubles, but can't figure out why it > would be a problem since I have specifically stated a pass statement for > the SSH. You can also use snort to sniff on the interface while logging in, so you can see which packets are sent/received. > I also realize that IP Filter is probably becoming a deprecated > technology new solutions are coming into play (I'm mainly using IP > Filter as a means to get my feet wet as I follow along with Lucas). > However, it anyone has any suggestions as to what packet filtering > technology to deploy and configure, I'm more than willing to take a > look! Take a look at packet filter, for simple rule sets it is easy to migrate, you just can't use groups but have to order your rules carefully, and be sure to specify interface in all rules. Cheers, Erik -- Ph: +34.666334818 web: www.locolomo.org S/MIME Certificate: www.daemonsecurity.com/ca/8D03551FFCE04F0C.crt Subject ID: 69:79:B8:2C:E3:8F:E7:BE:5D:C3:C3:B1:74:62:B8:3F:9F:1F:69:B9 Fingerprint: 7F:80:96:EA:95:92:E2:23:1F:FA:0F:98:92:C2:CC:55:6B:9A:8C:92