Thanks Peter.
I've gone ahead and modified
pass in quick on hme0 proto udp from any to a.b.c.d/32 port 33433><33690
keep state
to
pass in quick on hme0 proto udp from any to a.b.c.d/32 port 33433<>33690
keep state
Well, it did something... now I get the same output as if it didn't exist:
traceroute to a.b.c.d (a.b.c.d), 30 hopes max, 40 byte packets
1 * hostname (a.b.c.d) 0.539 ms 0.240 ms
Aug 23 10:40:26 hostname ipmon[217]: [ID 702911 local0.warning]
10:40:26.199628 hme0 @0:10 b a.b.c.e,34422 -> a.b.c.d,33434 PR udp len 20 40
IN
Aug 23 10:40:26 hostname ipmon[217]: [ID 702911 local0.warning]
10:40:26.200420 hme0 @0:1 b a.b.c.d -> a.b.c.e PR icmp len 20 56 icmp
unreach/port for a.b.c.e,34422 - a.b.c.d,33434 PR udp len 20 40 OUT
Aug 23 10:40:31 hostname ipmon[217]: [ID 702911 local0.warning]
10:40:31.207952 hme0 @0:10 b a.b.c.e,34422 -> a.b.c.d,33435 PR udp len 20 40
IN
Aug 23 10:40:31 hostname ipmon[217]: [ID 702911 local0.warning]
10:40:31.211676 hme0 @0:10 b a.b.c.e,34422 -> a.b.c.d,33436 PR udp len 20 40
IN
which is what I would get before when I had the IN rule disabled.
Justin
From: Peter Bickel <[EMAIL PROTECTED]>
To: Justin Ewing <[EMAIL PROTECTED]>
CC: [email protected]
Subject: Re: traceroute: Solaris 10/IPF
Date: Tue, 23 Aug 2005 16:57:52 +0200
Justin Ewing wrote:
This is Solaris 10 with the IPFilter that comes with it.
I'm trying to figure out why I can't traceroute to my system. I can ping
out and traceroute out, other systems can ping this system but when they
attempt to traceroute to it, the following is produced:
Aug 23 08:39:36 hostname ipmon[217]: [ID 702911 local0.warning]
08:39:36.655913 hme0 @0:1 b a.b.c.d -> a.b.c.e PR icmp len 20 68 icmp
unreach/port for a.b.c.e,34415 - a.b.c.d,33434 PR udp len 20 40 OUT
Aug 23 08:39:41 hostname ipmon[217]: [ID 702911 local0.warning]
08:39:41.659090 hme0 @0:1 b a.b.c.d -> a.b.c.e PR icmp len 20 68 icmp
unreach/port for a.b.c.e,34415 - a.b.c.d,33435 PR udp len 20 40 OUT
Aug 23 08:39:46 hostname ipmon[217]: [ID 702911 local0.warning]
08:39:46.668976 hme0 @0:1 b a.b.c.d -> a.b.c.e PR icmp len 20 68 icmp
unreach/port for a.b.c.e,34415 - a.b.c.d,33436 PR udp len 20 40 OUT
Aug 23 08:39:52 hostname ipmon[217]: [ID 702911 local0.warning]
08:39:51.679110 hme0 @0:1 b a.b.c.d -> a.b.c.e PR icmp len 20 68 icmp
unreach/port for a.b.c.e,34415 - a.b.c.d,33437 PR udp len 20 40 OUT
and the system doing the traceroute produces the output
traceroute to a.b.c.d (a.b.c.d), 30 hopes max, 40 byte packets
* * *
* * *
.... keeps doing the same thing
Here's the ipf.conf file I'm currently using:
# cat ipf.conf
# INBOUND RULES
block in quick on hme0 from 0.0.0.0/8 to any
block in quick on hme0 from 127.0.0.0/8 to any
block in quick on hme0 from 169.254.0.0/16 to any
block in quick on hme0 from 172.16.0.0/12 to any
block in quick on hme0 from 192.0.2.0/24 to any
block in quick on hme0 from 192.168.0.0/16 to any
block in quick on hme0 from 204.152.64.0/23 to any
block in quick on hme0 from 224.0.0.0/3 to any
block in log proto icmp all
block return-icmp-as-dest(port-unr) in log proto udp all
block return-rst in log proto tcp all
# ICMP
pass in quick on hme0 proto icmp from any to a.b.c.d/32 icmp-type 8 keep
state
pass in quick on hme0 proto udp from any to a.b.c.d/32 port 33433><33690
keep state
# SSH
pass in quick on hme0 proto tcp from any to a.b.c.d/32 port = 22 flags S
keep state keep frags
# SMTP
pass in quick on hme0 proto tcp from any to a.b.c.d/32 port = 25 flags S
keep state keep frags
# Kerberos
pass in quick on hme0 proto udp from any to a.b.c.d/32 port = 88 keep
state
pass in quick on hme0 proto tcp from any to a.b.c.d/32 port = 88 flags S
keep state keep frags
# LDAP
pass in quick on hme0 proto tcp from any to a.b.c.d/32 port = 389 flags S
keep state keep frags
# OUTBOUND RULES
block out log all
# ICMP
pass out quick on hme0 proto icmp from a.b.c.d/32 to any icmp-type 8 keep
state
pass out quick on hme0 proto udp from a.b.c.d/32 to any port 33433><33690
keep state
# DNS
pass out quick on hme0 proto udp from a.b.c.d/32 to d.n.s.1/32 port = 53
keep state
pass out quick on hme0 proto udp from a.b.c.d/32 to d.n.s.2/32 port = 53
keep state
If I comment out the line:
pass in quick on hme0 proto udp from any to a.b.c.d/32 port 33433><33690
keep state
change the rule to this
pass in quick on hme0 proto udp from any to a.b.c.d/32 port 33433<>33690
keep state
and it should work.
and then have someone attempt to traceroute to this server I get the
following logged:
Aug 23 08:49:36 hostname ipmon[217]: [ID 702911 local0.warning]
08:49:36.683973 hme0 @0:10 b a.b.c.e,34418 -> a.b.c.d,33434 PR udp len 20
40 IN
Aug 23 08:49:36 hostname ipmon[217]: [ID 702911 local0.warning]
08:49:36.684737 hme0 @0:1 b a.b.c.d -> a.b.c.e PR icmp len 20 56 icmp
unreach/port for a.b.c.e,34418 - a.b.c.d,33434 PR udp len 20 40 OUT
Aug 23 08:49:42 hostname ipmon[217]: [ID 702911 local0.warning]
08:49:41.689385 hme0 @0:10 b a.b.c.e,34418 -> a.b.c.d,33435 PR udp len 20
40 IN
Aug 23 08:49:42 hostname ipmon[217]: [ID 702911 local0.warning]
08:49:41.700250 hme0 @0:10 b a.b.c.e,34418 -> a.b.c.d,33436 PR udp len 20
40 IN
BUT the traceroute actually kind of works:
traceroute to a.b.c.d (a.b.c.d), 30 hopes max, 40 byte packets
1 * hostname (a.b.c.d) 0.507 ms 0.248 ms
HELP!!!
Thank you in advance!
~Justin
_________________________________________________________________
Express yourself instantly with MSN Messenger! Download today - it's FREE!
http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/
--
Gruss
Pitsch
Ergon Informatik AG, Kleinstrasse 15, CH-8008 Zuerich, Switzerland
[EMAIL PROTECTED], Phone +41 44 268 89 89, Fax +41 44 261 27 50
http://www.ergon.ch Mobile +41 79 666 15 50
____________________________________________________________________
e r g o n smart people - smart software
<< smime.p7s >>
_________________________________________________________________
Is your PC infected? Get a FREE online computer virus scan from McAfee®
Security. http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963
