Re: Problem med IPFILTER

From: Erik Norgaard (none@norgaard--locolomo.org.lh.bsd-dk.dk)
Date: Tue 31 Aug 2004 - 13:50:23 CEST 

Date: Tue, 31 Aug 2004 13:50:23 +0200
From: Erik Norgaard <none@norgaard--locolomo.org.lh.bsd-dk.dk>
To: bsd-dk@bsd-dk.dk
Subject: Re: Problem med IPFILTER

Allan Wermuth wrote:
> # IPFILTER support
> options IPFILTER
> options IPFILTER_LOG
> options IPFILTER_DEFAULT_BLOCK

Det anbefales normalt ikke at inkludere den sidste linie, specielt mens
du roder med at lave et regelsæt. I stedet kan du sætte flg. to i toppen
af dit regelsæt:

block in log all
block out log all

> # block garbage
> block in log quick from any to any with ipopts
> block in log quick proto tcp from any to any with short

Disse regler ville jeg i første omgang slette.

> # outbound traffic
> pass out on fxp0 all head 100

du vil nok have "pass out quick", så ricikerer du ikke at pakkerne
bliver filtreret senere.

> # inbound traffic
> block in on fxp0 all head 200

Igen: "block in quick on fxp0"

> block in from 127.0.0.0/8 to any group 200
> block in from 130.225.156.24/32 to any group 200

I disse to regler vil du sikkert også have "quick" ellers tillader du
forbindelser fra de nævnte ip til port 22 nedenunder:

> pass in quick proto tcp from any to any port = 22 keep state group 200
> pass in quick proto udp from any to any port = 514 group 200

> block return-rst in log proto tcp from any to any flags S/SA group 200
> block return-icmp(net-unr) in proto udp all group 200

> Efter implementering af ovenstående kunne jeg imidlertid ikke få fat i serveren,
> og ej heller pinge den. Ved consol'en kunne jeg konstatere, at der ikke var for-
> bindelse til nettet.

Du kan ikke pinge den fordi du har default_block og du ikke tillader
icmp-pakker.

Det vil være smart også at sætte "log" i alle regler der blokkerer. Så
kan du se hvilken regel der blokkerer det du mener skulle igennem. Check
dine logs, og se hvad der blokkerer.

> Jeg har nærlæst regelsættet (der kunne jo være indsneget sig en fejl), men har
> ikke rigtig kunnet finde nogen fejl.....
>
> Jeg håber, at én eller anden barmhjertig person med lidt firewall erfaring kan se
> hvor fejlen kan være.

Giv lidt mere information, ifconfig, hvad forsøger du at forbinde med
(ssh formoder jeg) etc... har du prøvet at portscanne din maskine?

Mvh Erik

Til inspiration, her er mit regelsæt, vr0 har ip 192.168.0.4:

# Default policy (these rules should never be matched!)
block out log all
block in log all

# Interface #1: vr0 192.168.0.4/24
block out log quick on vr0 all head 10
block in log quick on vr0 all head 11

# Main group: 10
# Anti-spoofing on destination:
block out quick from any to 0.0.0.0/8 group 10
block out quick from any to 10.0.0.0/8 group 10
block out quick from any to 14.0.0.0/8 group 10
block out quick from any to 127.0.0.0/8 group 10
block out quick from any to 169.254.0.0/16 group 10
block out quick from any to 172.16.0.0/12 group 10
block out quick from any to 192.0.2.0/24 group 10
block out quick from any to 198.18.0.0/15 group 10
block out quick from any to 224.0.0.0/4 group 10
block out quick from any to 240.0.0.0/4 group 10
# Anti-spoofing on source:
block out quick from !192.168.0.0/24 to any group 10

# Allow access to standard tcp services
pass out quick proto tcp from 192.168.0.0/16 to any port < 1024 \
       flags S keep state group 10
# cvsup
pass out quick proto tcp from 192.168.0.0/16 to any port = 5999 \
       flags S keep state group 10
# passive ftp client
pass out quick proto tcp from 192.168.0.0/16 to any port > 49151 \
       flags S keep state group 10
# Allow access to standard udp services
pass out quick proto udp from 192.168.0.0/16 to any port < 1024 \
       keep state group 10
# icmp: allow ping
pass out quick proto icmp from 192.168.0.0/16 to any icmp-type 8 \
       keep state group 10

# Main group 11
# Anti spoofing:
block in quick from 0.0.0.0/8 to any group 11
block in quick from 10.0.0.0/8 to any group 11
block in quick from 14.0.0.0/8 to any group 11
block in quick from 127.0.0.0/8 to any group 11
block in quick from 169.254.0.0/16 to any group 11
block in quick from 172.16.0.0/12 to any group 11
block in quick from 192.0.2.0/24 to any group 11
block in quick from 198.18.0.0/15 to any group 11
block in quick from 224.0.0.0/4 to any group 11
block in quick from 240.0.0.0/4 to any group 11
block in quick from any to !192.168.0.0/24 group 11

# Inbound access to provided services
pass in quick proto tcp from any to 192.168.0.0/24 port = 22 flags S \
      keep state group 11
pass in quick proto tcp from any to 192.168.0.0/24 port = 25 flags S \
      keep state group 11
pass in quick proto tcp from any to 192.168.0.0/24 port = 53 flags S \
      keep state group 11
pass in quick proto tcp from any to 192.168.0.0/24 port = 80 flags S \
      keep state group 11
pass in quick proto udp from any to 192.168.0.0/24 port = 53 \
      keep state group 11

This archive was generated by hypermail 2b30 : Wed 15 Nov 2006 - 18:24:42 CET