Re: ipf out rule

[Chris Knipe]

 to x.x.x.122 port = 123 keep 
state keep frags
pass in quick on rl0 proto udp from c.c.c.c to x.x.x.122 port = 123 keep 
state keep frags

# rl0 - x.x.x.122 MySQL
pass in quick on rl0 proto tcp from x.x.x.120/29 to x.x.x.122 port = 3306 
flags S keep state keep frags

# rl0 - x.x.x.123 DNS
pass in quick on rl0 proto udp from x.x.x.120/29 to x.x.x.123 port = 53 keep 
state keep frags

# rl0 - x.x.x.123 Squid
pass in quick on rl0 proto tcp from x.x.x.120/29 to x.x.x.123 port = 3128 
flags S keep state keep frags
pass in quick on rl0 proto tcp from y.y.0.0/16 to x.x.x.123 port = 3128 
flags S keep state keep frags
pass in quick on rl0 proto tcp from z.z.0.0/16 to x.x.x.123 port = 3128 
flags S keep state keep frags
pass in quick on rl0 proto tcp from x.x.x.120/29 to x.x.x.123 port = 3130 
flags S keep state keep frags

# rl0 - x.x.x.123 PMX
pass in quick on rl0 proto tcp from x.x.x.122 to x.x.x.123 port = 10024 
flags S keep state keep frags
pass in quick on rl0 proto tcp from any to x.x.x.123 port = 18080 flags S 
keep state keep frags
pass in quick on rl0 proto tcp from any to x.x.x.123 port = 28080 flags S 
keep state keep frags

# Le Grande Finale
block in log quick on rl0 all
As always, looking forward to some help :)
--
Chris.
I love deadlines. I especially love the whooshing sound they make as they 
fly by... - Douglas Adams, 'Hitchhiker's Guide to the Galaxy'

- Original Message - 
From: [EMAIL PROTECTED]
To: Chris Knipe [EMAIL PROTECTED]; 
[EMAIL PROTECTED]
Sent: Monday, May 02, 2005 1:56 AM
Subject: RE: ipf out rule


When asking for help with firewall rules you have to post complete
content of firewall rule set file because some previous rule may be
dropping all packets. If this is your complete rule set them you are
missing the mandatory L0 interface rule to pass quick all.  rl0 must
be Nic connected to public internet. x.x.x.120/29 is ip address
range of pc's on private LAN behind firewall. This is not much of
firewall with everything being allowed out.  You could replace all
of these meaning less statements with   pass quick all from any to
any
You really need to read firewall section of the official handbook.
It has working examples of ipf.rules rule set along with detailed
explanation of how to build firewall rules.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Chris Knipe
Sent: Sunday, May 01, 2005 6:56 PM
To: [EMAIL PROTECTED]
Subject: ipf out rule
Hi,
Can anyone take a minute to just explain to me why ipf is blocking
this...
ipf.rules:
# rl0 - Outgoing
pass out quick on rl0 proto tcp from x.x.x.120/29 to any flags S
keep state
keep frags
pass out quick on rl0 proto udp from x.x.x.120/29 to any keep state
keep
frags
pass out quick on rl0 proto icmp from x.x.x.120/29 to any keep state
keep
frags
block out log quick on rl0 all
ipftest:
opening rule file ipf.new
in on rl0 tcp 196.25.1.1,2210 x.x.x.122,22
input: in on rl0 tcp 196.25.1.1,2210 x.x.x.122,22
pass ip 40(20) 6 196.25.1.1,2210  x.x.x.122,22
--
out on rl0 tcp x.x.x.122,22 196.25.1.1,2210
input: out on rl0 tcp x.x.x.122,22 196.25.1.1,2210
block ip 40(20) 6 x.x.x.122,22  196.25.1.1,2210
Thanks.
--
Chris.
I love deadlines. I especially love the whooshing sound they make as
they
fly by... - Douglas Adams, 'Hitchhiker's Guide to the Galaxy'
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to
[EMAIL PROTECTED]
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to 
[EMAIL PROTECTED]

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

ipf out rule

[Chris Knipe]

Hi,
Can anyone take a minute to just explain to me why ipf is blocking this...
ipf.rules:
# rl0 - Outgoing
pass out quick on rl0 proto tcp from x.x.x.120/29 to any flags S keep state 
keep frags
pass out quick on rl0 proto udp from x.x.x.120/29 to any keep state keep 
frags
pass out quick on rl0 proto icmp from x.x.x.120/29 to any keep state keep 
frags
block out log quick on rl0 all

ipftest:
opening rule file ipf.new
in on rl0 tcp 196.25.1.1,2210 x.x.x.122,22
input: in on rl0 tcp 196.25.1.1,2210 x.x.x.122,22
pass ip 40(20) 6 196.25.1.1,2210  x.x.x.122,22
--
out on rl0 tcp x.x.x.122,22 196.25.1.1,2210
input: out on rl0 tcp x.x.x.122,22 196.25.1.1,2210
block ip 40(20) 6 x.x.x.122,22  196.25.1.1,2210
Thanks.
--
Chris.
I love deadlines. I especially love the whooshing sound they make as they 
fly by... - Douglas Adams, 'Hitchhiker's Guide to the Galaxy' 

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

RE: ipf out rule

[bob]

First of all what I see in your log is just normal hacker traffic
probing for access to your box. Your firewall is doing it's job
denying this bogus traffic. I get over 1500 of these daily. I run
the abuse reporting system  to report this junk to the owners of
the ip address range. You can download copy of the abuse reporting
system scripts from
http://www.unixguide.net/freebsd/fbsd_installguide/index.php


now about your rule set.

1. the Lo0 rules is just to allow your PC to talk to itself, so
'keep state' option is wasted over head.  Remove keep state from
those 2 rules.

2. this rule block in log quick all with frag is dropping all
frags so the keep frag option on all the rules is useless so
remove it from all rules.

3. Your problem about ftp is not described enough in detail to
debug. Not working how?
Can you access public ftp sites from the firewall box and or from
LAN pc's?
Are you running a FTP server and remote users can not access your
ftp server?
If so is FTP server on firewall box or on LAN pc?
Add log option to your ftp rules and read log to view ftp packet
traffic to debug
Are you running NAT for LAN users, if so post NAT rules

4. You are allowing out all services originating from behind your
firewall. This is a very unsecure practice. Your LAN PC's or the
firewall box it self could have a Trojan or spyware and you will
never know it. Change the rules to only allow out the services you
expect to be using like shown in the official handbook firewall
section.








-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Chris Knipe
Sent: Monday, May 02, 2005 6:19 AM
To: [EMAIL PROTECTED]
Subject: Re: ipf out rule


Ok, that is fair enough.

I did manage to get it up and running without locking myself out
though
*yay*

I am having 2 issues mainly.

FTP doesn't work at all (PASV or not), and I am getting allot of
false drops
on packets which *should* be allowed...

Quick dump from the log file:
May  2 12:11:03 pyro ipmon[8689]: 12:11:02.335403 rl0 @0:62 b
y.y.195.133,1201 - x.x.x.123,3128 PR tcp len 20 40 -AF IN
May  2 12:11:05 pyro ipmon[8689]: 12:11:04.760397 rl0 @0:62 b
y.y.195.133,1201 - x.x.x.123,3128 PR tcp len 20 40 -AF IN
May  2 12:11:10 pyro ipmon[8689]: 12:11:09.787481 rl0 @0:62 b
y.y195.133,1201 - x.x.x.123,3128 PR tcp len 20 40 -AF IN
May  2 12:11:20 pyro ipmon[8689]: 12:11:19.744860 rl0 @0:62 b
y.y.195.133,1201 - x.x.x.123,3128 PR tcp len 20 40 -AF IN
May  2 12:11:40 pyro ipmon[8689]: 12:11:39.760718 rl0 @0:62 b
y.y.195.133,1201 - x.x.x.123,3128 PR tcp len 20 40 -AF IN

/etc/ipf.rules:
# lo0 - Loopback
pass in  quick on lo0 all keep state
pass out quick on lo0 all keep state

# Bad Packet Murder
block in log quick all with ipopts
block in log quick all with short
block in log quick all with frag
block return-rst in log quick proto tcp all flags FUP
block return-rst in log quick proto tcp all flags FSRPAU

#
# Outside Interfaces
#
# rl0 - Outgoing
pass out quick on rl0 proto tcp from x.x.x.120/29 to any flags S
keep state
keep frags
pass out quick on rl0 proto udp from x.x.x.120/29 to any keep state
keep
frags
pass out quick on rl0 proto icmp from x.x.x.120/29 to any keep state
keep
frags
block out log quick on rl0 all

#
# Block and log all remaining traffic coming into the firewall
# - Block  TCP with a RST (to make it appear as if the service
# isn't listening)
# - Block UDP with an ICMP Port Unreachable (to make it appear
# as if the service isn't listening)
# - Block all remaining  traffic the good 'ol fashioned way
#
# rl0 - Global Incoming
block in quick on rl0 from 0.0.0.0/7 to any
block in quick on rl0 from 2.0.0.0/8 to any
block in quick on rl0 from 5.0.0.0/8 to any
block in quick on rl0 from 10.0.0.0/8 to any
block in quick on rl0 from 23.0.0.0/8 to any
block in quick on rl0 from 27.0.0.0/8 to any
block in quick on rl0 from 31.0.0.0/8 to any
block in quick on rl0 from 69.0.0.0/8 to any
block in quick on rl0 from 70.0.0.0/7 to any
block in quick on rl0 from 72.0.0.0/5 to any
block in quick on rl0 from 82.0.0.0/7 to any
block in quick on rl0 from 84.0.0.0/6 to any
block in quick on rl0 from 88.0.0.0/5 to any
block in quick on rl0 from 96.0.0.0/3 to any
block in quick on rl0 from 127.0.0.0/8 to any
block in quick on rl0 from 128.0.0.0/16 to any
block in quick on rl0 from 128.66.0.0/16 to any
block in quick on rl0 from 169.254.0.0/16 to any
block in quick on rl0 from 172.16.0.0/12 to any
block in quick on rl0 from 191.255.0.0/16 to any
block in quick on rl0 from 192.0.0.0/19 to any
block in quick on rl0 from 192.0.48.0/20 to any
block in quick on rl0 from 192.0.64.0/18 to any
block in quick on rl0 from 192.0.128.0/17 to any
block in quick on rl0 from 192.168.0.0/16 to any
block in quick

Re: ipf out rule

[Chris Knipe]

First of all what I see in your log is just normal hacker traffic
probing for access to your box. Your firewall is doing it's job
denying this bogus traffic. I get over 1500 of these daily. I run
the abuse reporting system  to report this junk to the owners of
the ip address range. You can download copy of the abuse reporting
system scripts from
http://www.unixguide.net/freebsd/fbsd_installguide/index.php
Hmm ok, Thanks.  I'll have a look at that.  What I am picking up however, is 
that they only come after I browsed to a site for example.  It may just be 
fragments or something.  If it's not serious, it's not serious.  I don't see 
any affect as such from using the server, so it must not be serious.


now about your rule set.
1. the Lo0 rules is just to allow your PC to talk to itself, so
'keep state' option is wasted over head.  Remove keep state from
those 2 rules.
Thanks.
2. this rule block in log quick all with frag is dropping all
frags so the keep frag option on all the rules is useless so
remove it from all rules.
Allrighty.

3. Your problem about ftp is not described enough in detail to
debug. Not working how?
Can you access public ftp sites from the firewall box and or from
LAN pc's?
Are you running a FTP server and remote users can not access your
ftp server?
If so is FTP server on firewall box or on LAN pc?
Add log option to your ftp rules and read log to view ftp packet
traffic to debug
Are you running NAT for LAN users, if so post NAT rules
There are no Internal network, or LAN.  This is a co-located server in a 
data center (thus firewall and all services are on the same machine).  PASV 
FTP coming in to the server is not working

logs:
May  2 15:20:45 pyro pure-ftpd[23394]: ([EMAIL PROTECTED]) [INFO] New connection 
from x.x.x.x
May  2 15:20:46 pyro pure-ftpd[23395]: ([EMAIL PROTECTED]) [INFO] cknipe is now 
logged in
May  2 15:20:46 pyro ipmon[8689]: 15:20:46.628707 rl0 @0:62 b 
x.x.x.x,4049 - a.a.a.122,33273 PR tcp len 20 48 -S IN
May  2 15:20:49 pyro ipmon[8689]: 15:20:49.556181 rl0 @0:62 b 
x.x.x.x,4049 - a.a.a.122,33273 PR tcp len 20 48 -S IN
May  2 15:21:53 pyro pure-ftpd[23395]: ([EMAIL PROTECTED]) [INFO] Logout.


4. You are allowing out all services originating from behind your
firewall. This is a very unsecure practice. Your LAN PC's or the
firewall box it self could have a Trojan or spyware and you will
never know it. Change the rules to only allow out the services you
expect to be using like shown in the official handbook firewall
section.
See above :)
--
Chris.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Chris Knipe
Sent: Monday, May 02, 2005 6:19 AM
To: [EMAIL PROTECTED]
Subject: Re: ipf out rule
Ok, that is fair enough.
I did manage to get it up and running without locking myself out
though
*yay*
I am having 2 issues mainly.
FTP doesn't work at all (PASV or not), and I am getting allot of
false drops
on packets which *should* be allowed...
Quick dump from the log file:
May  2 12:11:03 pyro ipmon[8689]: 12:11:02.335403 rl0 @0:62 b
y.y.195.133,1201 - x.x.x.123,3128 PR tcp len 20 40 -AF IN
May  2 12:11:05 pyro ipmon[8689]: 12:11:04.760397 rl0 @0:62 b
y.y.195.133,1201 - x.x.x.123,3128 PR tcp len 20 40 -AF IN
May  2 12:11:10 pyro ipmon[8689]: 12:11:09.787481 rl0 @0:62 b
y.y195.133,1201 - x.x.x.123,3128 PR tcp len 20 40 -AF IN
May  2 12:11:20 pyro ipmon[8689]: 12:11:19.744860 rl0 @0:62 b
y.y.195.133,1201 - x.x.x.123,3128 PR tcp len 20 40 -AF IN
May  2 12:11:40 pyro ipmon[8689]: 12:11:39.760718 rl0 @0:62 b
y.y.195.133,1201 - x.x.x.123,3128 PR tcp len 20 40 -AF IN
/etc/ipf.rules:
# lo0 - Loopback
pass in  quick on lo0 all keep state
pass out quick on lo0 all keep state
# Bad Packet Murder
block in log quick all with ipopts
block in log quick all with short
block in log quick all with frag
block return-rst in log quick proto tcp all flags FUP
block return-rst in log quick proto tcp all flags FSRPAU
#
# Outside Interfaces
#
# rl0 - Outgoing
pass out quick on rl0 proto tcp from x.x.x.120/29 to any flags S
keep state
keep frags
pass out quick on rl0 proto udp from x.x.x.120/29 to any keep state
keep
frags
pass out quick on rl0 proto icmp from x.x.x.120/29 to any keep state
keep
frags
block out log quick on rl0 all
#
# Block and log all remaining traffic coming into the firewall
# - Block  TCP with a RST (to make it appear as if the service
# isn't listening)
# - Block UDP with an ICMP Port Unreachable (to make it appear
# as if the service isn't listening)
# - Block all remaining  traffic the good 'ol fashioned way
#
# rl0 - Global Incoming
block in quick on rl0 from 0.0.0.0/7 to any
block in quick on rl0 from 2.0.0.0/8 to any
block in quick on rl0 from 5.0.0.0/8 to any
block in quick on rl0

ipf out rule

[Chris Knipe]

Hi,
Can anyone take a minute to just explain to me why ipf is blocking this...
ipf.rules:
# rl0 - Outgoing
pass out quick on rl0 proto tcp from x.x.x.120/29 to any flags S keep state
keep frags
pass out quick on rl0 proto udp from x.x.x.120/29 to any keep state keep
frags
pass out quick on rl0 proto icmp from x.x.x.120/29 to any keep state keep
frags
block out log quick on rl0 all
ipftest:
opening rule file ipf.new
in on rl0 tcp 196.25.1.1,2210 x.x.x.122,22
input: in on rl0 tcp 196.25.1.1,2210 x.x.x.122,22
pass ip 40(20) 6 196.25.1.1,2210  x.x.x.122,22
--
out on rl0 tcp x.x.x.122,22 196.25.1.1,2210
input: out on rl0 tcp x.x.x.122,22 196.25.1.1,2210
block ip 40(20) 6 x.x.x.122,22  196.25.1.1,2210
Thanks.
--
Chris.
I love deadlines. I especially love the whooshing sound they make as they
fly by... - Douglas Adams, 'Hitchhiker's Guide to the Galaxy' 

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

RE: ipf out rule

[bob]

When asking for help with firewall rules you have to post complete
content of firewall rule set file because some previous rule may be
dropping all packets. If this is your complete rule set them you are
missing the mandatory L0 interface rule to pass quick all.  rl0 must
be Nic connected to public internet. x.x.x.120/29 is ip address
range of pc's on private LAN behind firewall. This is not much of
firewall with everything being allowed out.  You could replace all
of these meaning less statements with   pass quick all from any to
any

You really need to read firewall section of the official handbook.
It has working examples of ipf.rules rule set along with detailed
explanation of how to build firewall rules.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Chris Knipe
Sent: Sunday, May 01, 2005 6:56 PM
To: [EMAIL PROTECTED]
Subject: ipf out rule


Hi,

Can anyone take a minute to just explain to me why ipf is blocking
this...

ipf.rules:
# rl0 - Outgoing
pass out quick on rl0 proto tcp from x.x.x.120/29 to any flags S
keep state
keep frags
pass out quick on rl0 proto udp from x.x.x.120/29 to any keep state
keep
frags
pass out quick on rl0 proto icmp from x.x.x.120/29 to any keep state
keep
frags
block out log quick on rl0 all

ipftest:
opening rule file ipf.new
in on rl0 tcp 196.25.1.1,2210 x.x.x.122,22
input: in on rl0 tcp 196.25.1.1,2210 x.x.x.122,22
pass ip 40(20) 6 196.25.1.1,2210  x.x.x.122,22
--
out on rl0 tcp x.x.x.122,22 196.25.1.1,2210
input: out on rl0 tcp x.x.x.122,22 196.25.1.1,2210
block ip 40(20) 6 x.x.x.122,22  196.25.1.1,2210

Thanks.


--
Chris.

I love deadlines. I especially love the whooshing sound they make as
they
fly by... - Douglas Adams, 'Hitchhiker's Guide to the Galaxy'

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to
[EMAIL PROTECTED]

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]