Date: Wed, 27 Oct 2004 22:20:24 GMT From: David Haworth <dave@fyonn.net> To: freebsd-bugs@FreeBSD.org Subject: Re: kern/73202: IPF causing major tcp problems with 3rd party apps (apache, exim etc) Message-ID: <200410272220.i9RMKOIL024953@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
The following reply was made to PR kern/73202; it has been noted by GNATS. From: David Haworth <dave@fyonn.net> To: Kris Kennaway <kris@obsecurity.org> Cc: FreeBSD-gnats-submit@FreeBSD.org Subject: Re: kern/73202: IPF causing major tcp problems with 3rd party apps (apache, exim etc) Date: Wed, 27 Oct 2004 23:18:14 +0100 --Apple-Mail-18-349210026 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=US-ASCII; format=flowed > First guess would be that your ipf ruleset was wrong. Can you please > include it for verification? you're quite right, I should have pointed out that the firewall ruleset was completely unchanged from the 5.1 config. I don't really want to post my firewall config to a public forum so I'll enclose a suitably edited version. this config worked fine with 5.1 and caused no problems. dave # deny by default block in log on vr0 pass in quick on lo0 pass out quick on lo0 # get rid of unwanted and unexpected networks block in quick on vr0 from 192.168.0.0/16 to any block in quick on vr0 from 172.16.0.0/12 to any block in quick on vr0 from 10.0.0.0/8 to any block in quick on vr0 from 127.0.0.0/8 to any block in quick on vr0 from 0.0.0.0/8 to any block in quick on vr0 from 169.254.0.0/16 to any block in quick on vr0 from 192.0.2.0/24 to any block in quick on vr0 from 204.152.64.0/23 to any block in quick on vr0 from 224.0.0.0/3 to any #Rule to block nmap fingerprinting attempts block in quick on vr0 proto tcp all flags FUP #block all packets with ip options. block in log quick all with ipopts #block all fragmented and short packets block in quick all with frag block in quick all with short # block silently netbios/msds/mssql traffic from the local lan block in quick on vr0 proto tcp from any to any port = 135 <more like this> # allow mail/web traffic pass in quick on vr0 proto tcp from any to $local_ip1 port = smtp pass in quick on vr0 proto tcp from any to $local_ip1 port = http pass in quick on vr0 proto tcp from any to $local_ip2 port = http <more like this> # allow pings and traceroutes pass in quick proto icmp from any to $local_ip1 icmp-type 8 # echo request pass in quick proto udp from any to $local_ip1 port 33434 >< 33690 keep state #allow anyone to ssh in pass in quick on vr0 proto tcp from any to any port = 22 flags S keep state # stateful allowing of internal traffic and replies pass out quick on vr0 proto tcp/udp from any to any keep state keep frags pass out quick on vr0 proto icmp from any to any keep state --Apple-Mail-18-349210026 Content-Transfer-Encoding: base64 Content-Type: application/pkcs7-signature; name=smime.p7s Content-Disposition: attachment; filename=smime.p7s MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIGEDCCAskw ggIyoAMCAQICAwuGHzANBgkqhkiG9w0BAQQFADBiMQswCQYDVQQGEwJaQTElMCMGA1UEChMcVGhh d3RlIENvbnN1bHRpbmcgKFB0eSkgTHRkLjEsMCoGA1UEAxMjVGhhd3RlIFBlcnNvbmFsIEZyZWVt YWlsIElzc3VpbmcgQ0EwHhcNMDQwMTIxMTgxMzI1WhcNMDUwMTIwMTgxMzI1WjBAMR8wHQYDVQQD ExZUaGF3dGUgRnJlZW1haWwgTWVtYmVyMR0wGwYJKoZIhvcNAQkBFg5kYXZlQGZ5b25uLm5ldDCC ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALV37S70FvBLzigYBYNcLSI6mKRp2MH7+k5h 28Tk78FDRrIgTD0gvABODQ7Iqc/eaAuN3iZ6MplgVdCnL1tIolNE+xeRAop8yT224RgBSwBxAwrT yDruf3TG0OrLs9hLvGHqkBgUVf7jiKP646Gy86AoaATLpD2D43dbUf/uJxiFJEhNauxgEJbL5UHu Im0vE5t7IejnKlpeVV6lppMcI8ZF2OsFb7TuCXfN05eef7xqIOmNG8YfNX5Sja+xLnvYFZqhy/HG tL1XbZqj530GBK9bbNL/bQ5Panw7h6eUKK92cXcM/z01jXgb+jtqLdKWu2H0iiOlyhEgJ8q6Fp9Y 8pUCAwEAAaMrMCkwGQYDVR0RBBIwEIEOZGF2ZUBmeW9ubi5uZXQwDAYDVR0TAQH/BAIwADANBgkq hkiG9w0BAQQFAAOBgQATQm5+ArByLY6kAHmYYPHYTHPay7bAlAJaRfGYZLh+zefKqMkD9IyceJjh SnVqdDgtx4g+h/exeskdgudr9rtcH4dzvE6PLQ3rEE0uTcNtl4ou7Ax+0FHk6R6Zl/Yg0sf78yfe 7Z76OjoD3hmvhaRyTlPin65LRd9picnphhuOqzCCAz8wggKooAMCAQICAQ0wDQYJKoZIhvcNAQEF BQAwgdExCzAJBgNVBAYTAlpBMRUwEwYDVQQIEwxXZXN0ZXJuIENhcGUxEjAQBgNVBAcTCUNhcGUg VG93bjEaMBgGA1UEChMRVGhhd3RlIENvbnN1bHRpbmcxKDAmBgNVBAsTH0NlcnRpZmljYXRpb24g U2VydmljZXMgRGl2aXNpb24xJDAiBgNVBAMTG1RoYXd0ZSBQZXJzb25hbCBGcmVlbWFpbCBDQTEr MCkGCSqGSIb3DQEJARYccGVyc29uYWwtZnJlZW1haWxAdGhhd3RlLmNvbTAeFw0wMzA3MTcwMDAw MDBaFw0xMzA3MTYyMzU5NTlaMGIxCzAJBgNVBAYTAlpBMSUwIwYDVQQKExxUaGF3dGUgQ29uc3Vs dGluZyAoUHR5KSBMdGQuMSwwKgYDVQQDEyNUaGF3dGUgUGVyc29uYWwgRnJlZW1haWwgSXNzdWlu ZyBDQTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAxKY8VXNV+065yplaHmjAdQRwnd/p/6Me 7L3N9VvyGna9fww6YfK/Uc4B1OVQCjDXAmNaLIkVcI7dyfArhVqqP3FWy688Cwfn8R+RNiQqE88r 1fOCdz0Dviv+uxg+B79AgAJk16emu59l0cUqVIUPSAR/p7bRPGEEQB5kGXJgt/sCAwEAAaOBlDCB kTASBgNVHRMBAf8ECDAGAQH/AgEAMEMGA1UdHwQ8MDowOKA2oDSGMmh0dHA6Ly9jcmwudGhhd3Rl LmNvbS9UaGF3dGVQZXJzb25hbEZyZWVtYWlsQ0EuY3JsMAsGA1UdDwQEAwIBBjApBgNVHREEIjAg pB4wHDEaMBgGA1UEAxMRUHJpdmF0ZUxhYmVsMi0xMzgwDQYJKoZIhvcNAQEFBQADgYEASIzRUIPq Cy7MDaNmrGcPf6+svsIXoUOWlJ1/TCG4+DYfqi2fNi/A9BxQIJNwPP2t4WFiw9k6GX6EsZkbAMUa C4J0niVQlGLH2ydxVyWN3amcOY6MIE9lX5Xa9/eH1sYITq726jTlEBpbNU1341YheILcIRk13iSx 0x1G/11fZU8xggLnMIIC4wIBATBpMGIxCzAJBgNVBAYTAlpBMSUwIwYDVQQKExxUaGF3dGUgQ29u c3VsdGluZyAoUHR5KSBMdGQuMSwwKgYDVQQDEyNUaGF3dGUgUGVyc29uYWwgRnJlZW1haWwgSXNz dWluZyBDQQIDC4YfMAkGBSsOAwIaBQCgggFTMBgGCSqGSIb3DQEJAzELBgkqhkiG9w0BBwEwHAYJ KoZIhvcNAQkFMQ8XDTA0MTAyNzIyMTgxNFowIwYJKoZIhvcNAQkEMRYEFInkUARDPLU+ub1uoa4k BS+/HlyMMHgGCSsGAQQBgjcQBDFrMGkwYjELMAkGA1UEBhMCWkExJTAjBgNVBAoTHFRoYXd0ZSBD b25zdWx0aW5nIChQdHkpIEx0ZC4xLDAqBgNVBAMTI1RoYXd0ZSBQZXJzb25hbCBGcmVlbWFpbCBJ c3N1aW5nIENBAgMLhh8wegYLKoZIhvcNAQkQAgsxa6BpMGIxCzAJBgNVBAYTAlpBMSUwIwYDVQQK ExxUaGF3dGUgQ29uc3VsdGluZyAoUHR5KSBMdGQuMSwwKgYDVQQDEyNUaGF3dGUgUGVyc29uYWwg RnJlZW1haWwgSXNzdWluZyBDQQIDC4YfMA0GCSqGSIb3DQEBAQUABIIBAGD3cE6hhUU9aq12oVQ4 DGfUS1AgR6u5AKQqXVCEO1IDEn4vlczzvWye0oQGDdFHUNradirJzZvk2UzcQZaN2Zy4iyzrFRNm Z6/BID7/ccmSq+KeZ3oEeMjHLDq+USQEq0kAG15FFHkVO3hiBLDUXywfGmO6lbUfd89LjlpQnd36 XRBUolhucVVWhH9fU7kWiBL1b9kiuOwh4+FfHCXFt6w5+OXoGExgesCuZNRD1dQj9CloUPL9reeY 7g3tAF/zVCno1vhCOypvjbvnbM/iYtv1QVKPT9vSDPcrws7rrGSanqkZzkctiunzO36PH1c4kBVE 4uFg4Yln4COx3Q5Qc1YAAAAAAAA= --Apple-Mail-18-349210026--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200410272220.i9RMKOIL024953>