kern/73202: IPF causing major tcp problems with 3rd party apps
(apache, exim etc)
David Haworth
dave at fyonn.net
Wed Oct 27 15:20:24 PDT 2004
The following reply was made to PR kern/73202; it has been noted by GNATS.
From: David Haworth <dave at fyonn.net>
To: Kris Kennaway <kris at obsecurity.org>
Cc: FreeBSD-gnats-submit at FreeBSD.org
Subject: Re: kern/73202: IPF causing major tcp problems with 3rd party apps (apache, exim etc)
Date: Wed, 27 Oct 2004 23:18:14 +0100
--Apple-Mail-18-349210026
Content-Transfer-Encoding: 7bit
Content-Type: text/plain;
charset=US-ASCII;
format=flowed
> First guess would be that your ipf ruleset was wrong. Can you please
> include it for verification?
you're quite right, I should have pointed out that the firewall ruleset
was completely unchanged from the 5.1 config. I don't really want to
post my firewall config to a public forum so I'll enclose a suitably
edited version.
this config worked fine with 5.1 and caused no problems.
dave
# deny by default
block in log on vr0
pass in quick on lo0
pass out quick on lo0
# get rid of unwanted and unexpected networks
block in quick on vr0 from 192.168.0.0/16 to any
block in quick on vr0 from 172.16.0.0/12 to any
block in quick on vr0 from 10.0.0.0/8 to any
block in quick on vr0 from 127.0.0.0/8 to any
block in quick on vr0 from 0.0.0.0/8 to any
block in quick on vr0 from 169.254.0.0/16 to any
block in quick on vr0 from 192.0.2.0/24 to any
block in quick on vr0 from 204.152.64.0/23 to any
block in quick on vr0 from 224.0.0.0/3 to any
#Rule to block nmap fingerprinting attempts
block in quick on vr0 proto tcp all flags FUP
#block all packets with ip options.
block in log quick all with ipopts
#block all fragmented and short packets
block in quick all with frag
block in quick all with short
# block silently netbios/msds/mssql traffic from the local lan
block in quick on vr0 proto tcp from any to any port = 135
<more like this>
# allow mail/web traffic
pass in quick on vr0 proto tcp from any to $local_ip1 port = smtp
pass in quick on vr0 proto tcp from any to $local_ip1 port = http
pass in quick on vr0 proto tcp from any to $local_ip2 port = http
<more like this>
# allow pings and traceroutes
pass in quick proto icmp from any to $local_ip1 icmp-type 8 # echo
request
pass in quick proto udp from any to $local_ip1 port 33434 >< 33690
keep state
#allow anyone to ssh in
pass in quick on vr0 proto tcp from any to any port = 22 flags S keep
state
# stateful allowing of internal traffic and replies
pass out quick on vr0 proto tcp/udp from any to any keep state keep
frags
pass out quick on vr0 proto icmp from any to any keep state
--Apple-Mail-18-349210026
Content-Transfer-Encoding: base64
Content-Type: application/pkcs7-signature;
name=smime.p7s
Content-Disposition: attachment;
filename=smime.p7s
MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIGEDCCAskw
ggIyoAMCAQICAwuGHzANBgkqhkiG9w0BAQQFADBiMQswCQYDVQQGEwJaQTElMCMGA1UEChMcVGhh
d3RlIENvbnN1bHRpbmcgKFB0eSkgTHRkLjEsMCoGA1UEAxMjVGhhd3RlIFBlcnNvbmFsIEZyZWVt
YWlsIElzc3VpbmcgQ0EwHhcNMDQwMTIxMTgxMzI1WhcNMDUwMTIwMTgxMzI1WjBAMR8wHQYDVQQD
ExZUaGF3dGUgRnJlZW1haWwgTWVtYmVyMR0wGwYJKoZIhvcNAQkBFg5kYXZlQGZ5b25uLm5ldDCC
ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALV37S70FvBLzigYBYNcLSI6mKRp2MH7+k5h
28Tk78FDRrIgTD0gvABODQ7Iqc/eaAuN3iZ6MplgVdCnL1tIolNE+xeRAop8yT224RgBSwBxAwrT
yDruf3TG0OrLs9hLvGHqkBgUVf7jiKP646Gy86AoaATLpD2D43dbUf/uJxiFJEhNauxgEJbL5UHu
Im0vE5t7IejnKlpeVV6lppMcI8ZF2OsFb7TuCXfN05eef7xqIOmNG8YfNX5Sja+xLnvYFZqhy/HG
tL1XbZqj530GBK9bbNL/bQ5Panw7h6eUKK92cXcM/z01jXgb+jtqLdKWu2H0iiOlyhEgJ8q6Fp9Y
8pUCAwEAAaMrMCkwGQYDVR0RBBIwEIEOZGF2ZUBmeW9ubi5uZXQwDAYDVR0TAQH/BAIwADANBgkq
hkiG9w0BAQQFAAOBgQATQm5+ArByLY6kAHmYYPHYTHPay7bAlAJaRfGYZLh+zefKqMkD9IyceJjh
SnVqdDgtx4g+h/exeskdgudr9rtcH4dzvE6PLQ3rEE0uTcNtl4ou7Ax+0FHk6R6Zl/Yg0sf78yfe
7Z76OjoD3hmvhaRyTlPin65LRd9picnphhuOqzCCAz8wggKooAMCAQICAQ0wDQYJKoZIhvcNAQEF
BQAwgdExCzAJBgNVBAYTAlpBMRUwEwYDVQQIEwxXZXN0ZXJuIENhcGUxEjAQBgNVBAcTCUNhcGUg
VG93bjEaMBgGA1UEChMRVGhhd3RlIENvbnN1bHRpbmcxKDAmBgNVBAsTH0NlcnRpZmljYXRpb24g
U2VydmljZXMgRGl2aXNpb24xJDAiBgNVBAMTG1RoYXd0ZSBQZXJzb25hbCBGcmVlbWFpbCBDQTEr
MCkGCSqGSIb3DQEJARYccGVyc29uYWwtZnJlZW1haWxAdGhhd3RlLmNvbTAeFw0wMzA3MTcwMDAw
MDBaFw0xMzA3MTYyMzU5NTlaMGIxCzAJBgNVBAYTAlpBMSUwIwYDVQQKExxUaGF3dGUgQ29uc3Vs
dGluZyAoUHR5KSBMdGQuMSwwKgYDVQQDEyNUaGF3dGUgUGVyc29uYWwgRnJlZW1haWwgSXNzdWlu
ZyBDQTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAxKY8VXNV+065yplaHmjAdQRwnd/p/6Me
7L3N9VvyGna9fww6YfK/Uc4B1OVQCjDXAmNaLIkVcI7dyfArhVqqP3FWy688Cwfn8R+RNiQqE88r
1fOCdz0Dviv+uxg+B79AgAJk16emu59l0cUqVIUPSAR/p7bRPGEEQB5kGXJgt/sCAwEAAaOBlDCB
kTASBgNVHRMBAf8ECDAGAQH/AgEAMEMGA1UdHwQ8MDowOKA2oDSGMmh0dHA6Ly9jcmwudGhhd3Rl
LmNvbS9UaGF3dGVQZXJzb25hbEZyZWVtYWlsQ0EuY3JsMAsGA1UdDwQEAwIBBjApBgNVHREEIjAg
pB4wHDEaMBgGA1UEAxMRUHJpdmF0ZUxhYmVsMi0xMzgwDQYJKoZIhvcNAQEFBQADgYEASIzRUIPq
Cy7MDaNmrGcPf6+svsIXoUOWlJ1/TCG4+DYfqi2fNi/A9BxQIJNwPP2t4WFiw9k6GX6EsZkbAMUa
C4J0niVQlGLH2ydxVyWN3amcOY6MIE9lX5Xa9/eH1sYITq726jTlEBpbNU1341YheILcIRk13iSx
0x1G/11fZU8xggLnMIIC4wIBATBpMGIxCzAJBgNVBAYTAlpBMSUwIwYDVQQKExxUaGF3dGUgQ29u
c3VsdGluZyAoUHR5KSBMdGQuMSwwKgYDVQQDEyNUaGF3dGUgUGVyc29uYWwgRnJlZW1haWwgSXNz
dWluZyBDQQIDC4YfMAkGBSsOAwIaBQCgggFTMBgGCSqGSIb3DQEJAzELBgkqhkiG9w0BBwEwHAYJ
KoZIhvcNAQkFMQ8XDTA0MTAyNzIyMTgxNFowIwYJKoZIhvcNAQkEMRYEFInkUARDPLU+ub1uoa4k
BS+/HlyMMHgGCSsGAQQBgjcQBDFrMGkwYjELMAkGA1UEBhMCWkExJTAjBgNVBAoTHFRoYXd0ZSBD
b25zdWx0aW5nIChQdHkpIEx0ZC4xLDAqBgNVBAMTI1RoYXd0ZSBQZXJzb25hbCBGcmVlbWFpbCBJ
c3N1aW5nIENBAgMLhh8wegYLKoZIhvcNAQkQAgsxa6BpMGIxCzAJBgNVBAYTAlpBMSUwIwYDVQQK
ExxUaGF3dGUgQ29uc3VsdGluZyAoUHR5KSBMdGQuMSwwKgYDVQQDEyNUaGF3dGUgUGVyc29uYWwg
RnJlZW1haWwgSXNzdWluZyBDQQIDC4YfMA0GCSqGSIb3DQEBAQUABIIBAGD3cE6hhUU9aq12oVQ4
DGfUS1AgR6u5AKQqXVCEO1IDEn4vlczzvWye0oQGDdFHUNradirJzZvk2UzcQZaN2Zy4iyzrFRNm
Z6/BID7/ccmSq+KeZ3oEeMjHLDq+USQEq0kAG15FFHkVO3hiBLDUXywfGmO6lbUfd89LjlpQnd36
XRBUolhucVVWhH9fU7kWiBL1b9kiuOwh4+FfHCXFt6w5+OXoGExgesCuZNRD1dQj9CloUPL9reeY
7g3tAF/zVCno1vhCOypvjbvnbM/iYtv1QVKPT9vSDPcrws7rrGSanqkZzkctiunzO36PH1c4kBVE
4uFg4Yln4COx3Q5Qc1YAAAAAAAA=
--Apple-Mail-18-349210026--
More information about the freebsd-bugs
mailing list