Hello, I stumbled upon two strange problems with IPFilter 4.1.9 on Solaris 10 (any platform).
It is a self-built ipfilter with gcc, substituting the original Sun's version.
1. when I do "svcadm disable ipfilter", the filter is not actually disabled. Nats still run, blocked ports are still blocked. Changing the rule file and doing "svcadm disable ipfilter -> svcadm enable ipfilter" reloads the changes.
2. I have a configuration file that opens just few ports on the public machine (itself). Port 80 is one of them.
All seems to run fine. Then I found 2 customers that cannot reach ONLY PORT 80 on any of these public machines running this build of ipfilter. These 2 customers use the same Internet connection method: a pcmcia UMTS connect card.
I tried to move apache to port 82 and open up port 82 on ipfilter (the same way it was open on port 80): it magically works fine.
I moved again apache back to port 80 and asked the UMTS/connect-card user to do a "telnet www.mymachine.com 80" and try a "GET / HTTP/1.0". Once the user types the "G" the connection is broken.
This does not happen on any other port, and this does not happen at all on any other user connection through other methods (works fine on UMTS through a nokia-phone used as an usb modem).
And this did not happen with Sun's version.
Here is my ipf.con (same one as it was in use with Sun's ipfilter version):
pass out quick on lo0 all
#Everything is safe on loopback and local network
pass in quick on lo0 all
pass out quick on bge0 all
pass in quick on bge0 all
#No private or strange packets from the inside to the outside
block out quick on bge1 from any to 192.168.0.0/16
block out quick on bge1 from any to 172.16.0.0/12
block out quick on bge1 from any to 127.0.0.0/8
block out quick on bge1 from any to 10.0.0.0/8
block out quick on bge1 from any to 0.0.0.0/8
block out quick on bge1 from any to 169.254.0.0/16
block out quick on bge1 from any to 192.0.2.0/24
block out quick on bge1 from any to 204.152.64.0/23
block out quick on bge1 from any to 224.0.0.0/3
#Pass anything from the public network to the Internet
#and keep state for reply packets to be accepted
pass out quick on bge1 from <public-ip>/32 to any keep state
#Block anything else going out
block out log quick on bge1 from any to any
#Block any spoofing or strange packet coming from the Internet
block in quick on bge1 from 192.168.0.0/16 to any
block in quick on bge1 from 172.16.0.0/12 to any
block in quick on bge1 from 10.0.0.0/8 to any
block in quick on bge1 from 127.0.0.0/8 to any
block in quick on bge1 from 0.0.0.0/8 to any
block in quick on bge1 from 169.254.0.0/16 to any
block in quick on bge1 from 192.0.2.0/24 to any
block in quick on bge1 from 204.152.64.0/23 to any
block in quick on bge1 from 224.0.0.0/3 to any
block in log quick on bge1 from <private-net>.0/24 to any
block in log quick on bge1 from any to <private-net>.0/32
block in log quick on bge1 from any to <private-net>.255/32
#Permit normal ICMP (ping, traceroute) but not spoofed ICMP
pass in quick on bge1 proto icmp from any to <public-ip>/32 icmp-type 0
pass in quick on bge1 proto icmp from any to <public-ip>/32 icmp-type 11
block in log quick on bge1 proto icmp from any to any
#Permit specific services from the outside to public machines (ssh,smtp,http,https,imaps)
pass in quick on bge1 proto tcp from any to <public-ip>/32 port = 22
pass in quick on bge1 proto tcp from any to <public-ip>/32 port = 25
pass in quick on bge1 proto tcp from any to <public-ip>/32 port = 80
pass in quick on bge1 proto tcp from any to <public-ip>/32 port = 443
pass in quick on bge1 proto tcp from any to <public-ip>/32 port = 993
#Permit outfoing ftp
pass in quick proto tcp from any to <public-ip>/32 port = ftp keep state
pass in quick proto tcp from any to <public-ip>/32 port = ftp-data keep state
pass in quick proto tcp from any port = ftp-data to <public-ip>/32 port > 1023 keep state
#Block anything else from the outside
block in log quick on bge1 from any to any
pass in all
It is a self-built ipfilter with gcc, substituting the original Sun's version.
1. when I do "svcadm disable ipfilter", the filter is not actually disabled. Nats still run, blocked ports are still blocked. Changing the rule file and doing "svcadm disable ipfilter -> svcadm enable ipfilter" reloads the changes.
2. I have a configuration file that opens just few ports on the public machine (itself). Port 80 is one of them.
All seems to run fine. Then I found 2 customers that cannot reach ONLY PORT 80 on any of these public machines running this build of ipfilter. These 2 customers use the same Internet connection method: a pcmcia UMTS connect card.
I tried to move apache to port 82 and open up port 82 on ipfilter (the same way it was open on port 80): it magically works fine.
I moved again apache back to port 80 and asked the UMTS/connect-card user to do a "telnet www.mymachine.com 80" and try a "GET / HTTP/1.0". Once the user types the "G" the connection is broken.
This does not happen on any other port, and this does not happen at all on any other user connection through other methods (works fine on UMTS through a nokia-phone used as an usb modem).
And this did not happen with Sun's version.
Here is my ipf.con (same one as it was in use with Sun's ipfilter version):
pass out quick on lo0 all
#Everything is safe on loopback and local network
pass in quick on lo0 all
pass out quick on bge0 all
pass in quick on bge0 all
#No private or strange packets from the inside to the outside
block out quick on bge1 from any to 192.168.0.0/16
block out quick on bge1 from any to 172.16.0.0/12
block out quick on bge1 from any to 127.0.0.0/8
block out quick on bge1 from any to 10.0.0.0/8
block out quick on bge1 from any to 0.0.0.0/8
block out quick on bge1 from any to 169.254.0.0/16
block out quick on bge1 from any to 192.0.2.0/24
block out quick on bge1 from any to 204.152.64.0/23
block out quick on bge1 from any to 224.0.0.0/3
#Pass anything from the public network to the Internet
#and keep state for reply packets to be accepted
pass out quick on bge1 from <public-ip>/32 to any keep state
#Block anything else going out
block out log quick on bge1 from any to any
#Block any spoofing or strange packet coming from the Internet
block in quick on bge1 from 192.168.0.0/16 to any
block in quick on bge1 from 172.16.0.0/12 to any
block in quick on bge1 from 10.0.0.0/8 to any
block in quick on bge1 from 127.0.0.0/8 to any
block in quick on bge1 from 0.0.0.0/8 to any
block in quick on bge1 from 169.254.0.0/16 to any
block in quick on bge1 from 192.0.2.0/24 to any
block in quick on bge1 from 204.152.64.0/23 to any
block in quick on bge1 from 224.0.0.0/3 to any
block in log quick on bge1 from <private-net>.0/24 to any
block in log quick on bge1 from any to <private-net>.0/32
block in log quick on bge1 from any to <private-net>.255/32
#Permit normal ICMP (ping, traceroute) but not spoofed ICMP
pass in quick on bge1 proto icmp from any to <public-ip>/32 icmp-type 0
pass in quick on bge1 proto icmp from any to <public-ip>/32 icmp-type 11
block in log quick on bge1 proto icmp from any to any
#Permit specific services from the outside to public machines (ssh,smtp,http,https,imaps)
pass in quick on bge1 proto tcp from any to <public-ip>/32 port = 22
pass in quick on bge1 proto tcp from any to <public-ip>/32 port = 25
pass in quick on bge1 proto tcp from any to <public-ip>/32 port = 80
pass in quick on bge1 proto tcp from any to <public-ip>/32 port = 443
pass in quick on bge1 proto tcp from any to <public-ip>/32 port = 993
#Permit outfoing ftp
pass in quick proto tcp from any to <public-ip>/32 port = ftp keep state
pass in quick proto tcp from any to <public-ip>/32 port = ftp-data keep state
pass in quick proto tcp from any port = ftp-data to <public-ip>/32 port > 1023 keep state
#Block anything else from the outside
block in log quick on bge1 from any to any
pass in all
Thanx for any help.
Gabriele
Gabriele
|
|
|
Gabriele Bulfon - Sonicle S.r.l. Tel +39 028246016 Int. 30 - Fax +39 028243880 Via Felice Cavallotti 16 - 20089, Rozzano - Milano - ITALY http://www.sonicle.com |
