IPFilter 4.1.13 on Solaris 8 ... What am I missing?

[boxyzzy]

Per Phil Dibowitz's suggestion:

Attached is an altered version of my ipf.conf file. It is only altered 
to change the real IPs to bogus IPs for protection / paranoia. 
Realizing the confusion introduced by bogus IPs, our subnet is 70 
(xxx.xxx.70.xx). So, in my previous Email, substitute all references to 
subnet 78 with subnet 70 (ipmonlog, etc.) 
 
Phil is right.  As shown in the attached file, blocks are done by Rule 
18: block in log all 
 
Thanks, in advance, for any help that you may offer. 
 
Charles 
 
-----Original Message----- 
From: Phil Dibowitz <[EMAIL PROTECTED]> 
To: IP Filter <ipfilter@coombs.anu.edu.au> 
Sent: Sun, 17 Jun 2007 6:57 pm 
Subject: Re: IPFilter 4.1.13 on Solaris 8 ... What am I missing? 
 
 
[EMAIL PROTECTED] wrote: 
 
As described below, I am still unable to deploy IPFilter because it 
blocks communication among trusted hosts within my domain. Since the 
Email below, I've explicitly coded "pass in quick ..." statements for 
each IP address in my subnet, yet blocks still occur. 
 
What am I missing? 
 
According to these lines: 
 
Computer 123.456.78.11: 
29/11/2006 12:16:35.785428 eri0 @0:18 b 123.456.78.59,52740 -> 
123.456.78.11,32772 PR tcp len 20 40 -AF IN 
29/11/2006 12:16:36.713333 eri0 @0:18 b 123.456.78.59,52740 -> 
123.456.78.11,32772 PR tcp len 20 40 -AF IN 
 
It's blocked by rules 18, and NOT by OOW. Since you haven't included 18 
rules, I suspect you're not giving us your whole ruleset. Without your 
whole 
ruleset, people are unlikely to look into this very far. 
 
-- 
Phil Dibowitz [EMAIL PROTECTED]
Open Source software and tech docs Insanity Palace of Metallica 
http://www.phildev.net/ http://www.ipom.com/ 
 
"Never write it in C if you can do it in 'awk'; 
Never do it in 'awk' if 'sed' can handle it; 
Never use 'sed' when 'tr' can do the job; 
Never invoke 'tr' when 'cat' is sufficient; 
Avoid using 'cat' whenever possible" -- Taylor's Laws of Programming 
 
 
________________________________________________________________________ 
Check Out the new free AIM(R) Mail -- 2 GB of storage and 
industry-leading spam and email virus protection. 


________________________________________________________________________
Check Out the new free AIM(R) Mail -- 2 GB of storage and 
industry-leading spam and email virus protection.
# Block selected broadcasts w/o logging:
  block in quick         proto udp from any to 123.456.71.255 port = 631  # 
Printer broadcast
  block in quick         proto udp from any to 123.456.71.255 port = 137  # 
Netbios
  block in quick         proto udp from any to 123.456.71.255 port = 138  # 
Netbios
  block in quick         proto udp from any to 123.456.71.255 port = 139  # 
Netbios
  block in quick         proto udp from any to 255.255.255.255            #
  block in quick         proto tcp from any to any            port = 135  # 
Netbios
  block in quick         proto udp from any to any            port = 137  # 
Netbios
  block in quick         proto udp from any to any            port = 138  # 
Netbios
  block in quick         proto tcp from any to any            port = 139  # 
Netbios
  block in quick         proto udp from any to any            port = 1026 # 
CAP: Calendar Access Protocal
  block in quick         proto udp from any to any            port = 1027 # 
CAP: Calendar Access Protocal
  block in quick         proto 2 from any to 224.0.0.1                    # 
Broadcast from 123.456.68.1
  block in quick         proto tcp/udp from any to any        port = 445  # 
Microsoft-DS
  block in quick         proto tcp/udp from any to any        port = 1433 # 
MS-SQL-Server
  block in quick         proto tcp/udp from any to any        port = 1434 # 
MS-SQL-Monitor
  block in quick         proto tcp/udp from any to any        port = 4899 # 
RAdmin
  block in quick         proto tcp/udp from any to any        port = 3306 # 
MySQL

# Outbound packets:
# pass out log all      # Debug
  pass out     all      # 
  pass out                  proto icmp from any to any keep state
# Corrects traceroute failure and intermitent OOW packets from being blocked 
(Hmmm ... maybe?):
  pass out                  proto tcp/udp from any to any keep state keep frags

# Inbound packets:
# pass in  log all      # Debug
# If you're not on the list, you're not getting in ...
  block in log all

# Trusted needed hosts:
# Subnet gateway -
  pass in     quick proto tcp from 123.456.68.1 to any flags S keep state
  pass in     quick proto udp from 123.456.68.1 to any keep state
# NTP - 
  pass in     quick proto tcp from 123.456.1.201 to any flags S keep state
  pass in     quick proto udp from 123.456.1.201 to any keep state
  pass in     quick proto tcp from 123.456.1.202 to any flags S keep state
  pass in     quick proto udp from 123.456.1.202 to any keep state
  pass in     quick proto tcp from 123.456.1.203 to any flags S keep state
  pass in     quick proto udp from 123.456.1.203 to any keep state
  pass in     quick proto tcp from 123.456.1.204 to any flags S keep state
  pass in     quick proto udp from 123.456.1.204 to any keep state
# NAS -
  pass in     quick proto tcp from 123.456.161.16 to any flags S keep state
  pass in     quick proto udp from 123.456.161.16 to any keep state
# DNS - 
  pass in     quick proto tcp from 123.456.247.34 to any flags S keep state
  pass in     quick proto udp from 123.456.247.34 to any keep state
  pass in     quick proto tcp from 123.456.247.66 to any flags S keep state
  pass in     quick proto udp from 123.456.247.66 to any keep state
  pass in     quick proto tcp from 123.456.247.98 to any flags S keep state
  pass in     quick proto udp from 123.456.247.98 to any keep state
# WINS (for Samba) -
  pass in     quick proto tcp from 123.456.162.243 to any flags S keep state
  pass in     quick proto udp from 123.456.162.243 to any keep state
  pass in     quick proto tcp from 123.456.162.242 to any flags S keep state
  pass in     quick proto udp from 123.456.162.242 to any keep state

# Allow access to all services from our subnet:
  pass in     quick proto tcp from 123.456.70.0/26  to any flags S keep state   
        # 70.0 -70.63
  pass in     quick proto udp from 123.456.70.0/26  to any keep state           
        # 70.0 -70.63
  pass in     quick proto tcp from 123.456.70.64/27 to any flags S keep state   
        # 70.64-70.95
  pass in     quick proto udp from 123.456.70.64/27 to any keep state           
        # 70.64-70.95
  pass in     quick proto tcp from 123.456.70.96/28 to any flags S keep state   
        # 70.96-70.99
  pass in     quick proto udp from 123.456.70.96/28 to any keep state           
        # 70.96-70.99

# Allow SSH access   from selected IPs:
  pass in     quick proto tcp from 123.456.0.0/16  to any port = 22 flags S 
keep state   # incoming
  pass in     quick proto tcp from any port = 22   to any           flags S 
keep state   # outgoing


# Allow ICMP (ping, traceroute, etc.)
  pass in     quick proto icmp all keep state

# Allow SMTP (mail) -
# pass in     quick proto tcp from any to any port = 25 flags S keep state

# Debug: Allow traffic from any local host:
# pass in log quick           from 123.456.0.0/16  to any keep state
##pass in     quick           from 123.456.0.0/16  to any keep state
# pass in log quick           from 123.456.0.0/16  to any keep state
##pass in     quick           from 123.456.0.0/16  to any keep state

# Allow HTTP
# pass in     quick proto tcp from any to any port = 80 flags S keep state