ipf out rule

Chris Knipe savage at savage.za.org
Mon May 2 06:24:45 PDT 2005 

> First of all what I see in your log is just normal hacker traffic
> probing for access to your box. Your firewall is doing it's job
> denying this bogus traffic. I get over 1500 of these daily. I run
> the "abuse reporting system"  to report this junk to the owners of
> the ip address range. You can download copy of the "abuse reporting
> system" scripts from
> http://www.unixguide.net/freebsd/fbsd_installguide/index.php

Hmm ok, Thanks.  I'll have a look at that.  What I am picking up however, is 
that they only come after I browsed to a site for example.  It may just be 
fragments or something.  If it's not serious, it's not serious.  I don't see 
any "affect" as such from using the server, so it must not be serious.


> now about your rule set.
>
> 1. the Lo0 rules is just to allow your PC to talk to itself, so
> 'keep state' option is wasted over head.  Remove "keep state" from
> those 2 rules.

Thanks.

> 2. this rule "block in log quick all with frag" is dropping all
> frags so the "keep frag" option on all the rules is useless so
> remove it from all rules.

Allrighty.


> 3. Your problem about ftp is not described enough in detail to
> debug. Not working how?
> Can you access public ftp sites from the firewall box and or from
> LAN pc's?
> Are you running a FTP server and remote users can not access your
> ftp server?
> If so is FTP server on firewall box or on LAN pc?
> Add log option to your ftp rules and read log to view ftp packet
> traffic to debug
> Are you running NAT for LAN users, if so post NAT rules

There are no "Internal" network, or LAN.  This is a co-located server in a 
data center (thus firewall and all services are on the same machine).  PASV 
FTP coming in to the server is not working

logs:
May  2 15:20:45 pyro pure-ftpd[23394]: (?@x.x.x.x) [INFO] New connection 
from x.x.x.x
May  2 15:20:46 pyro pure-ftpd[23395]: (?@x.x.x.x) [INFO] cknipe is now 
logged in
May  2 15:20:46 pyro ipmon[8689]: 15:20:46.628707 rl0 @0:62 b 
x.x.x.x,4049 -> a.a.a.122,33273 PR tcp len 20 48 -S IN
May  2 15:20:49 pyro ipmon[8689]: 15:20:49.556181 rl0 @0:62 b 
x.x.x.x,4049 -> a.a.a.122,33273 PR tcp len 20 48 -S IN
May  2 15:21:53 pyro pure-ftpd[23395]: (cknipe at x.x.x.x) [INFO] Logout.


> 4. You are allowing out all services originating from behind your
> firewall. This is a very unsecure practice. Your LAN PC's or the
> firewall box it self could have a Trojan or spyware and you will
> never know it. Change the rules to only allow out the services you
> expect to be using like shown in the official handbook firewall
> section.

See above :)

--
Chris.


> -----Original Message-----
> From: owner-freebsd-questions at freebsd.org
> [mailto:owner-freebsd-questions at freebsd.org]On Behalf Of Chris Knipe
> Sent: Monday, May 02, 2005 6:19 AM
> To: freebsd-questions at lists.freebsd.org
> Subject: Re: ipf out rule
>
>
> Ok, that is fair enough.
>
> I did manage to get it up and running without locking myself out
> though
> *yay*
>
> I am having 2 issues mainly.
>
> FTP doesn't work at all (PASV or not), and I am getting allot of
> false drops
> on packets which *should* be allowed...
>
> Quick dump from the log file:
> May  2 12:11:03 pyro ipmon[8689]: 12:11:02.335403 rl0 @0:62 b
> y.y.195.133,1201 -> x.x.x.123,3128 PR tcp len 20 40 -AF IN
> May  2 12:11:05 pyro ipmon[8689]: 12:11:04.760397 rl0 @0:62 b
> y.y.195.133,1201 -> x.x.x.123,3128 PR tcp len 20 40 -AF IN
> May  2 12:11:10 pyro ipmon[8689]: 12:11:09.787481 rl0 @0:62 b
> y.y195.133,1201 -> x.x.x.123,3128 PR tcp len 20 40 -AF IN
> May  2 12:11:20 pyro ipmon[8689]: 12:11:19.744860 rl0 @0:62 b
> y.y.195.133,1201 -> x.x.x.123,3128 PR tcp len 20 40 -AF IN
> May  2 12:11:40 pyro ipmon[8689]: 12:11:39.760718 rl0 @0:62 b
> y.y.195.133,1201 -> x.x.x.123,3128 PR tcp len 20 40 -AF IN
>
> /etc/ipf.rules:
> # lo0 - Loopback
> pass in  quick on lo0 all keep state
> pass out quick on lo0 all keep state
>
> # Bad Packet Murder
> block in log quick all with ipopts
> block in log quick all with short
> block in log quick all with frag
> block return-rst in log quick proto tcp all flags FUP
> block return-rst in log quick proto tcp all flags FSRPAU
>
> #################################################################
> # Outside Interfaces
> #################################################################
> # rl0 - Outgoing
> pass out quick on rl0 proto tcp from x.x.x.120/29 to any flags S
> keep state
> keep frags
> pass out quick on rl0 proto udp from x.x.x.120/29 to any keep state
> keep
> frags
> pass out quick on rl0 proto icmp from x.x.x.120/29 to any keep state
> keep
> frags
> block out log quick on rl0 all
>
> #################################################################
> # Block and log all remaining traffic coming into the firewall
> # - Block  TCP with a RST (to make it appear as if the service
> # isn't listening)
> # - Block UDP with an ICMP Port Unreachable (to make it appear
> # as if the service isn't listening)
> # - Block all remaining  traffic the good 'ol fashioned way
> #################################################################
> # rl0 - Global Incoming
> block in quick on rl0 from 0.0.0.0/7 to any
> block in quick on rl0 from 2.0.0.0/8 to any
> block in quick on rl0 from 5.0.0.0/8 to any
> block in quick on rl0 from 10.0.0.0/8 to any
> block in quick on rl0 from 23.0.0.0/8 to any
> block in quick on rl0 from 27.0.0.0/8 to any
> block in quick on rl0 from 31.0.0.0/8 to any
> block in quick on rl0 from 69.0.0.0/8 to any
> block in quick on rl0 from 70.0.0.0/7 to any
> block in quick on rl0 from 72.0.0.0/5 to any
> block in quick on rl0 from 82.0.0.0/7 to any
> block in quick on rl0 from 84.0.0.0/6 to any
> block in quick on rl0 from 88.0.0.0/5 to any
> block in quick on rl0 from 96.0.0.0/3 to any
> block in quick on rl0 from 127.0.0.0/8 to any
> block in quick on rl0 from 128.0.0.0/16 to any
> block in quick on rl0 from 128.66.0.0/16 to any
> block in quick on rl0 from 169.254.0.0/16 to any
> block in quick on rl0 from 172.16.0.0/12 to any
> block in quick on rl0 from 191.255.0.0/16 to any
> block in quick on rl0 from 192.0.0.0/19 to any
> block in quick on rl0 from 192.0.48.0/20 to any
> block in quick on rl0 from 192.0.64.0/18 to any
> block in quick on rl0 from 192.0.128.0/17 to any
> block in quick on rl0 from 192.168.0.0/16 to any
> block in quick on rl0 from 197.0.0.0/8 to any
> block in quick on rl0 from 201.0.0.0/8 to any
> block in quick on rl0 from 204.152.64.0/23 to any
> block in quick on rl0 from 219.0.0.0/8 to any
> block in quick on rl0 from 220.0.0.0/6 to any
> block in quick on rl0 from 224.0.0.0/3 to any
>
> # rl0 - ICMP, 0 = Echo Reply, 3 = Arb Unreachable, 11 = TTL
> pass in quick on rl0 proto icmp all icmp-type 0
> pass in quick on rl0 proto icmp all icmp-type 3
> pass in quick on rl0 proto icmp all icmp-type 11
>
> # rl0 - x.x.x.122 FTP, FTP-DATA
> pass in quick on rl0 proto tcp from any to x.x.x.122 port = 21 flags
> S keep
> state
> pass in quick on rl0 proto tcp from any to x.x.x.122 port > 49151
> flags S
> keep state
> pass out quick on rl0 proto tcp from x.x.x.122 port = 20 to any
> flags S keep
> state
>
> # rl0 - x.x.x.122 SSH
> pass in quick on rl0 proto tcp from any to x.x.x.122 port = 22 flags
> S keep
> state keep frags
>
> # rl0 - x.x.x.122 SMTP
> pass in quick on rl0 proto tcp from any to x.x.x.122 port = 25 flags
> S keep
> state keep frags
>
> # rl0 - x.x.x.122 DNS
> pass in quick on rl0 proto udp from any to x.x.x.122 port = 53 keep
> state
> keep frags
> pass in quick on rl0 proto tcp from any to x.x.x.122 port = 53 flags
> S keep
> state keep frags
>
> # rl0 - x.x.x.122 HTTP, HTTPS
> pass in quick on rl0 proto tcp from any to x.x.x.122 port = 80 flags
> S keep
> state keep frags
> pass in quick on rl0 proto tcp from any to x.x.x.122 port = 443
> flags S keep
> state keep frags
>
> # rl0 - x.x.x.122 POP3
> pass in quick on rl0 proto tcp from any to x.x.x.122 port = 110
> flags S keep
> state keep frags
>
> # rl0 - x.x.x.122 NTP
> pass in quick on rl0 proto udp from a.a.a.a to x.x.x.122 port = 123
> keep
> state keep frags
> pass in quick on rl0 proto udp from b.b.b.b to x.x.x.122 port = 123
> keep
> state keep frags
> pass in quick on rl0 proto udp from c.c.c.c to x.x.x.122 port = 123
> keep
> state keep frags
>
> # rl0 - x.x.x.122 MySQL
> pass in quick on rl0 proto tcp from x.x.x.120/29 to x.x.x.122 port =
> 3306
> flags S keep state keep frags
>
> # rl0 - x.x.x.123 DNS
> pass in quick on rl0 proto udp from x.x.x.120/29 to x.x.x.123 port =
> 53 keep
> state keep frags
>
> # rl0 - x.x.x.123 Squid
> pass in quick on rl0 proto tcp from x.x.x.120/29 to x.x.x.123 port =
> 3128
> flags S keep state keep frags
> pass in quick on rl0 proto tcp from y.y.0.0/16 to x.x.x.123 port =
> 3128
> flags S keep state keep frags
> pass in quick on rl0 proto tcp from z.z.0.0/16 to x.x.x.123 port =
> 3128
> flags S keep state keep frags
> pass in quick on rl0 proto tcp from x.x.x.120/29 to x.x.x.123 port =
> 3130
> flags S keep state keep frags
>
> # rl0 - x.x.x.123 PMX
> pass in quick on rl0 proto tcp from x.x.x.122 to x.x.x.123 port =
> 10024
> flags S keep state keep frags
> pass in quick on rl0 proto tcp from any to x.x.x.123 port = 18080
> flags S
> keep state keep frags
> pass in quick on rl0 proto tcp from any to x.x.x.123 port = 28080
> flags S
> keep state keep frags
>
> # Le Grande Finale
> block in log quick on rl0 all
>
> As always, looking forward to some help :)
>
> --
> Chris.
>
> I love deadlines. I especially love the whooshing sound they make as
> they
> fly by..." - Douglas Adams, 'Hitchhiker's Guide to the Galaxy'
>
> ----- Original Message -----
> From: <bob at a1poweruser.com>
> To: "Chris Knipe" <savage at savage.za.org>;
> <freebsd-questions at lists.freebsd.org>
> Sent: Monday, May 02, 2005 1:56 AM
> Subject: RE: ipf out rule
>
>
>> When asking for help with firewall rules you have to post complete
>> content of firewall rule set file because some previous rule may
> be
>> dropping all packets. If this is your complete rule set them you
> are
>> missing the mandatory L0 interface rule to pass quick all.  rl0
> must
>> be Nic connected to public internet. x.x.x.120/29 is ip address
>> range of pc's on private LAN behind firewall. This is not much of
>> firewall with everything being allowed out.  You could replace all
>> of these meaning less statements with   pass quick all from any to
>> any
>>
>> You really need to read firewall section of the official handbook.
>> It has working examples of ipf.rules rule set along with detailed
>> explanation of how to build firewall rules.
>>
>> -----Original Message-----
>> From: owner-freebsd-questions at freebsd.org
>> [mailto:owner-freebsd-questions at freebsd.org]On Behalf Of Chris
> Knipe
>> Sent: Sunday, May 01, 2005 6:56 PM
>> To: freebsd-questions at lists.freebsd.org
>> Subject: ipf out rule
>>
>>
>> Hi,
>>
>> Can anyone take a minute to just explain to me why ipf is blocking
>> this...
>>
>> ipf.rules:
>> # rl0 - Outgoing
>> pass out quick on rl0 proto tcp from x.x.x.120/29 to any flags S
>> keep state
>> keep frags
>> pass out quick on rl0 proto udp from x.x.x.120/29 to any keep
> state
>> keep
>> frags
>> pass out quick on rl0 proto icmp from x.x.x.120/29 to any keep
> state
>> keep
>> frags
>> block out log quick on rl0 all
>>
>> ipftest:
>> opening rule file "ipf.new"
>> in on rl0 tcp 196.25.1.1,2210 x.x.x.122,22
>> input: in on rl0 tcp 196.25.1.1,2210 x.x.x.122,22
>> pass ip 40(20) 6 196.25.1.1,2210 > x.x.x.122,22
>> --------------
>> out on rl0 tcp x.x.x.122,22 196.25.1.1,2210
>> input: out on rl0 tcp x.x.x.122,22 196.25.1.1,2210
>> block ip 40(20) 6 x.x.x.122,22 > 196.25.1.1,2210
>>
>> Thanks.
>>
>>
>> --
>> Chris.
>>
>> I love deadlines. I especially love the whooshing sound they make
> as
>> they
>> fly by..." - Douglas Adams, 'Hitchhiker's Guide to the Galaxy'
>>
>> _______________________________________________
>> freebsd-questions at freebsd.org mailing list
>> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
>> To unsubscribe, send any mail to
>> "freebsd-questions-unsubscribe at freebsd.org"
>>
>> _______________________________________________
>> freebsd-questions at freebsd.org mailing list
>> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
>> To unsubscribe, send any mail to
>> "freebsd-questions-unsubscribe at freebsd.org"
>>
>
> _______________________________________________
> freebsd-questions at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to
> "freebsd-questions-unsubscribe at freebsd.org"
>
>

More information about the freebsd-questions mailing list