Hi,
I've been using ipfilter for some time now and it has been working for
me quite nicely.
That said, I currently have a problem with ipfilter that I don't know how
to solve (and yes, I checked the FAQ, the manual pages, googled, a.s.o.):
I need to *reject* (not drop) outgoing TCP connections on a Solaris 8 box
and I seem to be unable to figure out how to do this up to the point where I
doubt that it is possible at all.
To reject incoming telnet connections I use a rule like this:
block return-rst in log quick proto tcp from any to any port = 23
pass out quick proto tcp from any port = 23 to any flags R/RSFUP
and it works nicely. To reject outgoing connections I tried:
block return-rst out log quick proto tcp from any to any port = 23
# The use of "return-rst" on "out" rules was a syntax error in
# previous versions of ipf. The current version accepts this without
# complaining.
# The next should not be necessary anyway as the packet never leaves
# the interface. Having or not having this rule does not change the
# behaviour.
#pass in quick proto tcp from any port = 23 to any flags R/RSFUP
This does block outgoing traffic and does log the outgoing SYN packet
but it does not result in a RST packet being returned. Instead the
behaviour seems to indicate that the SYN packet is dropped, resulting
in the usual long TCP connection timeout instead of an immediate
"connection refused".
Is there any way at all to achieve my goal? Where am I going wrong?
Thanks for a reply & regards,
Wolf
--
Machine information follows:
# uname -a
SunOS wsr2d2 5.8 Generic_108528-22 sun4u sparc SUNW,Ultra-5_10
# isainfo -vk
64-bit sparcv9 kernel modules
# ifconfig -a
hme0: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 1
inet 160.59.184.154 netmask ffffff00 broadcast 160.59.184.255
ether 8:0:20:f8:ec:43
lo0: flags=1000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4> mtu 8232 index 2
inet 127.0.0.1 netmask ff000000
# netstat -rn
Routing Table: IPv4
Destination Gateway Flags Ref Use Interface
-------------------- -------------------- ----- ----- ------ ---------
160.59.184.0 160.59.184.154 U 1 170 hme0
224.0.0.0 160.59.184.154 U 1 0 hme0
default 160.59.184.1 UG 1 1167
127.0.0.1 127.0.0.1 UH 27 53637 lo0
# netstat -s -P ip
IPv4 ipForwarding = 2 ipDefaultTTL = 255
ipInReceives = 26461 ipInHdrErrors = 0
ipInAddrErrors = 0 ipInCksumErrs = 0
ipForwDatagrams = 0 ipForwProhibits = 0
ipInUnknownProtos = 0 ipInDiscards = 0
ipInDelivers = 82492 ipOutRequests = 21544
ipOutDiscards = 0 ipOutNoRoutes = 0
ipReasmTimeout = 60 ipReasmReqds = 0
ipReasmOKs = 0 ipReasmFails = 0
ipReasmDuplicates = 0 ipReasmPartDups = 0
ipFragOKs = 20 ipFragFails = 0
ipFragCreates = 60 ipRoutingDiscards = 0
tcpInErrs = 0 udpNoPorts = 1076
udpInCksumErrs = 0 udpInOverflows = 0
rawipInOverflows = 0 ipsecInSucceeded = 0
ipsecInFailed = 0 ipInIPv6 = 0
ipOutIPv6 = 0 ipOutSwitchIPv6 = 104
# ipf -V
ipf: IP Filter: v4.1.13 (592)
Kernel: IP Filter: v4.1.13
Running: yes
Log Flags: 0x40000000 = nomatch
Default: pass all, Logging: available
Active list: 0
Feature mask: 0x187
# ipfstat
bad packets: in 0 out 0
IPv6 packets: in 0 out 0
input packets: blocked 25 passed 17949 nomatch 28 counted 0 short 0
output packets: blocked 65 passed 14691 nomatch 38 counted 0 short 0
input packets logged: blocked 5 passed 0
output packets logged: blocked 50 passed 0
packets logged: input 0 output 0
log failures: input 0 output 0
fragment state(in): kept 0 lost 0 not fragmented 0
fragment state(out): kept 0 lost 0 not fragmented 0
packet state(in): kept 0 lost 0
packet state(out): kept 0 lost 0
ICMP replies: 0 TCP RSTs sent: 5
Invalid source(in): 0
Result cache hits(in): 10315 (out): 7835
IN Pullups succeeded: 0 failed: 0
OUT Pullups succeeded: 0 failed: 0
Fastroute successes: 5 failures: 0
TCP cksum fails(in): 0 (out): 0
IPF Ticks: 35641
Packet log flags set: (0x40000000)
packets not matched by filter
# ipfstat -io
pass out quick on lo0 all
pass out quick on hme0 all head 150
block out log quick from 127.0.0.0/8 to any group 150
block out log quick from any to 127.0.0.0/8 group 150
block out log quick from any to 160.59.207.27/32 group 150
pass out quick proto icmp from any to any head 160 group 150
pass out quick proto udp from any to any head 170 group 150
pass out quick proto tcp from any to any head 180 group 150
block return-rst out log quick proto tcp from any to any port = telnet
group 180
pass in quick on lo0 all
block in log quick from any to any with ipopts
block in log quick proto tcp from any to any with short
block in log quick proto udp from any to any with short
pass in quick on hme0 all head 100
block in log quick from 127.0.0.0/8 to any group 100
block in log quick from 160.59.207.27/32 to any group 100
pass in quick proto icmp from any to any head 110 group 100
pass in quick proto udp from any to any head 120 group 100
pass in quick proto tcp from any to any head 130 group 100
block return-rst in log quick proto tcp from any to any port = telnet
group 130
# ipnat -slv
mapped in 0 out 0
added 0 expired 0
no memory 0 bad nat 0
inuse 0
rules 0
wilds 0
table ffffffff7ffff0b8 list 0
List of active MAP/Redirect filters:
List of active sessions:
List of active host mappings:
#
