[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

IPF/IPNat Problem(s)

To: OpenBSD Misc <misc@openbsd.org>
Subject: IPF/IPNat Problem(s)
From: Kevin Sindhu <kevin@tgivan.com>
Date: Thu, 01 Feb 2001 10:33:56 -0800
Organization: TGI Techonologies Inc.

Hello,

Following the posting that pings do not go out from internal
networks...I am wondered if it ever worked on mine, and they don't...now
have come to a standstill...I would appreciate any suggestions.

Machine : 2.8-current
Arch 	: x86

Here are the problems/questions I have:

1) Outgoing pings show up in ipflog (attached) as passed but the other
internal machines, show request timeouts..I fail to see why this is
happened..sysctl variables are all set..

2) I also struggle with passive ftp...and I cannot get it work properly.
(drove me mad at times)..so, could you guyz comment on incoming passive
ftp (for the ftpd), and the outgoing passive ftp via clients for my
ipf.rules?

3) Correct me if I am wrong, in a ruleset like "pass in quick proto
tcp/udp from any to any port 6969 >< 7171 keep state keep frags group
100", does that include ports 6969 as well? I.e. >= 6969 and =<
7171...what would be a good way to do it?

Attached find my ipf.rules, ipnat.rules, commands.sh(a shell script that
reloads the rules) and the ipflog that shows that pings actually go
through, but the other internal machines, show request timeouts..

BTW, I personally believe that my ruleset is pretty secure, and blows
nmap away!:-), Any comments on the contrary are welcome


-- 
Kevin Sindhu
Systems Engineer				E-Mail: kevin@tgivan.com
TGI Technologies Inc.				Tel: (604) 872-6676 Ext 321
107 E 3rd Ave,					Fax: (604) 872-6601
Vancouver,BC V5T 1C7
Canada.

command.sh

#  Block any inherently bad packets coming in from the outside world.
#  These include ICMP redirect packets, IP fragments so short the
#  filtering rules won't be able to examine the whole UDP/TCP header,
#  and anything with IP options.
#
# BLOCK ALL EVIL PACKETS
block in log quick on tun0 proto icmp from any to any icmp-type redir
block in log quick on tun0 proto tcp/udp all with short
block in log quick on tun0 from any to any with ipopts
block in log quick on tun0 from any to any with opt lsrr
block in log quick on tun0 from any to any with opt ssrr


# Block nmap attempts
block in log quick on tun0 proto tcp from any to any flags FUP

# Leave loopback alone!
pass in quick on lo0 all
pass out quick on lo0 all

#*************************************************************
# Setup Groups
# 100 incoming tun0
# 150 outgoing tun0
# 200 incoming xl0
# 250 outgoing xl0
#*************************************************************
block in log on tun0 all head 100
block out log on tun0 all head 150
#*************************************************************
block in log on xl0 all head 200
block out log on xl0 all head 250
#*************************************************************

#*************************************************************
#	Incoming tun0 traffic - group 100
#*************************************************************
# 1) prevent localhost spoofing
block in log quick from 127.0.0.1/32 to 192.168.33.0/24 group 100
block in log quick from any to 127.0.0.1/8 group 100

#  Block any IP spoofing atempts.  (Packets "from" our network
#  shouldn't be coming in from outside).
# 2) deny EVIL packets from the internet

block in log quick from 10.0.0.0/8 to any group 100
block in log quick from any to 10.0.0.0/8 group 100
block in log quick from 172.16.0.0/16 to any group 100
block in log quick from any to 172.16.0.0/16 group 100
block in log quick from 192.168.0.0/24 to any group 100
block in log quick from any to 192.168.0.0/24 group 100
block in log quick from 0.0.0.0/32 to any group 100
block in log quick from 255.255.255.255/32 to any group 100
# Let see if we get scanned for 31337 and 12345

block in log quick on tun0 proto tcp/udp from any to any port = 31337
block in log quick on tun0 proto tcp/udp from any to any port = 12345

#*************************************************************
# Done Blocking, lets allow stuff
#*************************************************************

# Allow incoming ftp
pass in log quick proto tcp from any to any port = 21 group 100

# Ftp-data
pass in log quick proto tcp from any to any port = ftp-data keep state group 100
pass in log quick proto tcp from any port = ftp-data to any port 1024 >< 5000 keep state group 100


# Incoming SSH Connections
pass in log quick proto tcp from any to any port = 22 keep state group 100 

#Incoming Licq connections
pass in log quick proto tcp/udp from any to any port 3999 >< 4020  keep state group 100 

# Incoming HTTP
pass in log quick proto tcp from any to any port = 80 keep state group 100 

# Incoming Real Player Connections
pass in quick proto tcp/udp from any to any port 6969 >< 7171 keep state keep frags group 100

# Pass Identd
#pass in log quick proto tcp from any to any port = 113 flags S/SA keep state keep frags group 100

#  Block all incoming TCP traffic connections to known services,
#  returning a connection reset so things like ident don't take
#  forever timing out.  Don't log ident (auth port) as it's so common.
#
block return-rst in log on tun0 proto tcp from any to any flags S/SA
block return-rst in log on tun0 proto tcp from any to any port = auth flags S/SA


# If it is not defined, well lets block it
block return-icmp(net-unr) in log proto udp from any to any group 100
block return-rst in log proto tcp from any to any group 100


#*******************************************************************
#	Outgoing tun0 traffic - group 150
#*******************************************************************

# Pass ICMP
pass out quick proto icmp all keep state group 150

#Pass ALL
pass out quick proto tcp/udp from any to any keep state keep frags group 150
#pass out quick proto tcp/udp from any to any group 150


#Pass Out DNS
pass out quick proto tcp/udp from any to any port = 53 keep state group 150

# Pass Telnet
pass out quick proto tcp/udp from any to any port = 23 keep state group 150

# Pass SSH
pass out quick proto tcp/udp from any to any port = 22 keep state group 150

# Pass Licq
pass out quick proto tcp/udp from any to any port = 4000 keep state group 150

#FTP 
pass out quick proto tcp from any to any port = 21 flags S keep state group 150

# FTP data
pass out quick proto tcp from any port = ftp-data to any port > 1023 keep state group 150
pass out quick proto tcp from any to any port = 20 keep state group 150

# HTTP
pass out quick proto tcp from any to any port = 80 flags S/SA keep state keep frags group 150

#HTTPS
pass out quick proto tcp from any to any port = 443 flags S/SA keep state keep frags group 150

# Squid Connections
pass out quick proto tcp from any to any port = 3128 flags S/SA keep state keep frags group 150

# Other http data port
pass out quick proto tcp from any to any port = 8080 flags S/SA keep state keep frags group 150

# Stupid Strayer Java app port access
#pass out quick proto tcp from any to any port = 8081 keep state keep frags group 150

#SMTP
pass out quick proto tcp from any to any port = 25 flags S/SA keep state keep frags group 150

# identd(I have it usually disabled)
#pass out log quick proto tcp from any to any port = 113 flags S/SA keep state keep frags group 150

# pop3
pass out quick proto tcp from any to any port = 110 flags S/SA keep state keep frags group 150

#NTP
pass out quick proto tcp/udp from any to any port = 123 keep state group 150

#nntp (News)
pass out quick proto tcp from any to any port = 119 keep state keep frags group 150

# XMMS
pass out quick proto tcp from any to any port = 8000 keep state group 150
pass out quick proto tcp from any to any port = 7500 keep state group 150

# Napster
pass out quick proto tcp from any to any port = 8888 flags S/SA keep state group 150

# IRC
pass out quick proto tcp from any to any port = 6667 flags S/SA keep state group 150

# OutGoing Real Audio
pass out quick proto tcp from any to any port = 7070 flags S/SA keep state keep frags group 150
pass out quick proto tcp from any to any port = 554 flags S/SA keep state keep frags group 150


#*************************************************************************
# Incoming data on xl0 - group 200
#*************************************************************************
#
# We trust anything inside our network, so we'll pass everything
pass in quick from 192.168.33.0/24 to any group 200

#*************************************************************************
# Outgoing data on xl0 - group 250
#*************************************************************************
pass out quick from 192.168.33.0/24 to any group 250

Jan 31 11:00:01 satan newsyslog[23804]: logfile turned over
Jan 31 21:46:23 satan ipmon[10010]: 21:46:22.820277             tun0 @0:2 p 206-180-207-72.ihermes.com,123 -> tick.usask.ca,123 PR udp len 20 76  OUT 
Jan 31 21:46:23 satan ipmon[10010]: 21:46:23.371109             tun0 @0:2 p 206-180-207-72.ihermes.com,24328 -> zeus.ihermes.com,53 PR udp len 20 73  OUT 
Jan 31 21:46:23 satan ipmon[10010]: 21:46:23.505402             tun0 @0:2 p 206-180-207-72.ihermes.com,33934 -> zeus.ihermes.com,53 PR udp len 20 72  OUT 
Jan 31 21:47:19 satan ipmon[10010]: 21:47:18.799834             tun0 @0:2 p 206-180-207-72.ihermes.com,1806 -> zeus.ihermes.com,53 PR udp len 20 72  OUT 
Jan 31 21:47:19 satan ipmon[10010]: 21:47:18.918134              xl0 @0:3 p zeus.ihermes.com,53 -> 192.168.33.3,1034 PR udp len 20 102  OUT 
Jan 31 21:47:41 satan ipmon[10010]: 21:47:26.435842             tun0 @0:2 p 206-180-207-72.ihermes.com,1807 -> 206.194.197.98,53 PR udp len 20 59  OUT 
Jan 31 21:47:41 satan ipmon[10010]: 21:47:26.462345             tun0 @0:2 p 206-180-207-72.ihermes.com,2808 -> zeus.ihermes.com,53 PR udp len 20 73  OUT 
Jan 31 21:47:41 satan ipmon[10010]: 21:47:26.820213             tun0 @0:2 p 206-180-207-72.ihermes.com,123 -> tick.usask.ca,123 PR udp len 20 76  OUT 
Jan 31 21:47:41 satan ipmon[10010]: 21:47:28.435043             tun0 @0:2 p 206-180-207-72.ihermes.com,1807 -> 206.194.197.98,53 PR udp len 20 59  OUT 
Jan 31 21:47:41 satan ipmon[10010]: 21:47:30.438441             tun0 @0:2 p 206-180-207-72.ihermes.com,1807 -> zeus.ihermes.com,53 PR udp len 20 59  OUT 
Jan 31 21:47:41 satan ipmon[10010]: 21:47:30.438579             tun0 @0:2 p 206-180-207-72.ihermes.com,1807 -> hera.ihermes.com,53 PR udp len 20 59  OUT 
Jan 31 21:47:41 satan ipmon[10010]: 21:47:30.438680             tun0 @0:2 p 206-180-207-72.ihermes.com,1807 -> 206.194.197.98,53 PR udp len 20 59  OUT 
Jan 31 21:47:41 satan ipmon[10010]: 21:47:30.632665              xl0 @0:3 p zeus.ihermes.com,53 -> 192.168.33.3,1035 PR udp len 20 453  OUT 
Jan 31 21:47:41 satan ipmon[10010]: 21:47:30.706886              xl0 @0:3 p hera.ihermes.com,53 -> 192.168.33.3,1035 PR udp len 20 466  OUT 
Jan 31 21:47:41 satan ipmon[10010]: 21:47:31.470613             tun0 @0:2 p 206-180-207-72.ihermes.com,12596 -> hera.ihermes.com,53 PR udp len 20 73  OUT 
Jan 31 21:47:41 satan ipmon[10010]: 21:47:36.480285             tun0 @0:2 p 206-180-207-72.ihermes.com,3782 -> zeus.ihermes.com,53 PR udp len 20 73  OUT 
Jan 31 21:48:31 satan ipmon[10010]: 21:48:30.820287             tun0 @0:2 p 206-180-207-72.ihermes.com,1147 -> tick.usask.ca,123 PR udp len 20 76  OUT 
Jan 31 21:49:01 satan ipmon[10010]: 21:49:00.645557             tun0 @150:1 p 192.168.33.3 -> www9.yahoo.com PR icmp len 20 60 icmp 8/0 K-S OUT 
Jan 31 21:49:02 satan ipmon[10010]: 21:49:02.053942             tun0 @150:1 p 192.168.33.3 -> www9.yahoo.com PR icmp len 20 60 icmp 8/0 K-S OUT 
Jan 31 21:49:03 satan ipmon[10010]: 21:49:03.055622             tun0 @150:1 p 192.168.33.3 -> www9.yahoo.com PR icmp len 20 60 icmp 8/0 K-S OUT 
Jan 31 21:49:04 satan ipmon[10010]: 21:49:04.057294             tun0 @150:1 p 192.168.33.3 -> www9.yahoo.com PR icmp len 20 60 icmp 8/0 K-S OUT 
Jan 31 21:51:33 satan ipmon[10010]: 21:51:33.151298             tun0 @150:1 p 192.168.33.3 -> www9.yahoo.com PR icmp len 20 60 icmp 8/0 K-S OUT 
Jan 31 21:51:34 satan ipmon[10010]: 21:51:34.309100             tun0 @150:1 p 192.168.33.3 -> www9.yahoo.com PR icmp len 20 60 icmp 8/0 K-S OUT 
Jan 31 21:51:35 satan ipmon[10010]: 21:51:35.310786             tun0 @150:1 p 192.168.33.3 -> www9.yahoo.com PR icmp len 20 60 icmp 8/0 K-S OUT 
Jan 31 21:51:36 satan ipmon[10010]: 21:51:36.312467             tun0 @150:1 p 192.168.33.3 -> www9.yahoo.com PR icmp len 20 60 icmp 8/0 K-S OUT

# $OpenBSD: ipnat.rules,v 1.2 1999/05/08 16:33:10 jason Exp $
#
# See /usr/share/ipf/nat.1 for examples.
# edit the ipnat= line in /etc/rc.conf to enable Network Address Translation
#map tun0  10.0.0.0/8 -> ppp0/32 portmap tcp/udp 10000:20000

map tun0 192.168.33.0/0 -> tun0/32 proxy port ftp ftp/tcp
#map tun0 192.168.33.0/24 -> tun0/32 portmap tcp/udp auto
map tun0 0/0 -> tun0/32 portmap tcp/udp auto

Prev by Date: Can't run check for integer sizes
Next by Date: Re: OpenBSD Advisory
Prev by thread: Can't run check for integer sizes
Next by thread: Re: Installing OpenBSD on Tyan Thunderbolt-L
Index(es):
- Date
- Thread