| Author |
Message |
seca111
Leg Humper
Joined: 12 May 2003
Posts: 4778
Location: Franktown, Colorado
|
Posted:
Mon Apr 11, 2005 4:01 pm Post subject: ipfilter question |
|
I am having a problem with ipfilter firewall box. It is not giving me the security that I believe it should. Let me know if this is possible.
1. Hardware configuration. I have the cable coming out of my router, going into the firewall box (running netbsd) which has two network cards in it. Then out the second network card I have a cable going out and then going into my switch which then connects to everyone on my network.
2. I have check over and over on the rules in ipf.conf and everything seems to be set as they are supposed to be. but I did a test today that I found disturbing. I put a block in log quick all, and a block out log quick all at the start of the ipf.conf file. Then I tried from an outside side to ssh into one of my boxes and I got in no problem. I assume I shouldn't have been able?
What I think is happening now is the ipfilter is only blocking things directed at it and not a the network. I believe this because if I try to ssh to it, the firewall catches it and the logs show this. but everyone else doesn't get caught. Also in the log every packet that is caught is directed at the ip of the firewall box and not any that are on my network.
Any help would be greatly appreciated. I have checked the bridge and it looks like its set up correct. |
|
|
|
|
|
|
|
EdisonRex
Lead Dog
Joined: 06 May 2002
Posts: 10154
Location: Not Moscow
|
|
Posted:
Mon Apr 11, 2005 11:42 pm Post subject: |
|
seca can you post the rules you are using? It sounds like you don't have network rules setup, just host rules (x.y.z.a instead of x.y.z.0). |
_________________
Garret: It's so retro.
EGM: What does retro mean to you?
Parker: Like, old and outdated.
|
|
|
|
|
|
seca111
Leg Humper
Joined: 12 May 2003
Posts: 4778
Location: Franktown, Colorado
|
|
Posted:
Tue Apr 12, 2005 5:08 am Post subject: |
|
This is going to sound like a really dumb question.. but where do I get those from. 
I assume you are not talking about the actuall ipfilter rules, if so I can post those. |
|
|
|
|
|
|
|
EdisonRex
Lead Dog
Joined: 06 May 2002
Posts: 10154
Location: Not Moscow
|
|
Posted:
Wed Apr 13, 2005 1:46 am Post subject: |
|
Post what rulesets you are using, yes, please. |
_________________
Garret: It's so retro.
EGM: What does retro mean to you?
Parker: Like, old and outdated.
|
|
|
|
|
|
seca111
Leg Humper
Joined: 12 May 2003
Posts: 4778
Location: Franktown, Colorado
|
|
Posted:
Wed Apr 13, 2005 4:57 am Post subject: |
|
we are just trying to do basic port blocking.
so here is what we use.
# rtk0 interface
pass in quick on rtk0 proto tcp from any to any port = 80
pass in quick on rtk0 proto tcp from any to any port = 25
pass in quick on rtk0 proto tcp from any to any port = 63
pass in quick on rtk0 proto tcp from any to any port = 443
pass in quick on rtk0 proto tcp from any to any port = 68
pass in quick on rtk0 proto tcp from any to any port = 66
pass in quick on rtk0 proto tcp from any to any port = 1583
pass in quick on rtk0 proto tcp from any to any port = 35
pass in quick on rtk0 proto icmp from any to any
pass in quick on rtk0 proto udp from any to any
pass out quick on rtk0 proto tcp from any to any port = 80
pass out quick on rtk0 proto tcp from any to any port = 25
pass out quick on rtk0 proto tcp from any to any port = 63
pass out quick on rtk0 proto tcp from any to any port = 443
pass out quick on rtk0 proto tcp from any to any port = 68
pass out quick on rtk0 proto tcp from any to any port = 66
pass out quick on rtk0 proto tcp from any to any port = 1583
pass out quick on rtk0 proto tcp from any to any port = 35
pass out quick on rtk0 proto icmp from any to any
pass out quick on rtk0 proto udp from any to anypass in quick on rtk0 proto tcp from any to any port = 80
#tlp0 interface
pass in quick on tlp0 proto tcp from any to any port = 25
pass in quick on tlp0 proto tcp from any to any port = 63
pass in quick on tlp0 proto tcp from any to any port = 443
pass in quick on tlp0 proto tcp from any to any port = 68
pass in quick on tlp0 proto tcp from any to any port = 66
pass in quick on tlp0 proto tcp from any to any port = 1583
pass in quick on tlp0 proto tcp from any to any port = 35
pass in quick on tlp0 proto icmp from any to any
pass in quick on tlp0 proto udp from any to any
pass out quick on tlp0 proto tcp from any to any port = 80
pass out quick on tlp0 proto tcp from any to any port = 25
pass out quick on tlp0 proto tcp from any to any port = 63
pass out quick on tlp0 proto tcp from any to any port = 443
pass out quick on tlp0 proto tcp from any to any port = 68
pass out quick on tlp0 proto tcp from any to any port = 66
pass out quick on tlp0 proto tcp from any to any port = 1583
pass out quick on tlp0 proto tcp from any to any port = 35
pass out quick on tlp0 proto icmp from any to any
pass out quick on tlp0 proto udp from any to any
#block everything else
block in log all
block out log all
|
|
|
|
|
|
|
|
soup4you2
Tail-Wagger
Joined: 15 Mar 2002
Posts: 2453
Location: Desolate wastelands of Virginia
|
|
Posted:
Wed Apr 13, 2005 7:33 am Post subject: |
|
|
|
|
|
|
seca111
Leg Humper
Joined: 12 May 2003
Posts: 4778
Location: Franktown, Colorado
|
|
Posted:
Wed Apr 13, 2005 7:38 am Post subject: |
|
soup4you2 wrote:If your running netbsd why not use PF? it's far supirior..
This page has a decent ipf ruleset..
http://www.littlewhitedog.com/content-74.html
thanks soup, I'll take a look at that.
Is my first question possible, is it possible that its only blocking things destined for itself and not for packets that are being passed through?
Why would all the logs only block packets where the destination is the ip of the firewall box and never any of the boxes on my network? |
|
|
|
|
|
|
|
soup4you2
Tail-Wagger
Joined: 15 Mar 2002
Posts: 2453
Location: Desolate wastelands of Virginia
|
|
Posted:
Wed Apr 13, 2005 10:48 am Post subject: |
|
seca111 wrote:soup4you2 wrote:If your running netbsd why not use PF? it's far supirior..
This page has a decent ipf ruleset..
http://www.littlewhitedog.com/content-74.html
thanks soup, I'll take a look at that.
Is my first question possible, is it possible that its only blocking things destined for itself and not for packets that are being passed through?
Why would all the logs only block packets where the destination is the ip of the firewall box and never any of the boxes on my network?
ok.. some suggestions here..
I am having a problem with ipfilter firewall box. It is not giving me the security that I believe it should. Let me know if this is possible.
Quote:1. Hardware configuration. I have the cable coming out of my router, going into the firewall box (running netbsd) which has two network cards in it. Then out the second network card I have a cable going out and then going into my switch which then connects to everyone on my network.
a suggested setup would be
modem -> BSD Box (configured as a transparent bridge (ie.. an IP less box)) -> router/switch -> end users.
Now i have never setup a transparent bridge though IPF but i know it can be done. might wanna take a close look at this
http://www.obfuscation.org/ipf/ipf-howto.txt
or here for doing it in PF
http://ezine.daemonnews.org/200207/transpfobsd.html
Quote:2. I have check over and over on the rules in ipf.conf and everything seems to be set as they are supposed to be. but I did a test today that I found disturbing. I put a block in log quick all, and a block out log quick all at the start of the ipf.conf file. Then I tried from an outside side to ssh into one of my boxes and I got in no problem. I assume I shouldn't have been able?
Start off with a blank ruleset..
pass out all
block in all
then slowly add in more rules testing it as you go along.
sorry if i dont have the time to go into more detail.. but i have a lot to do right now..
good luck. |
_________________
tomorrow will be canceled due to lack of interest
|
|
|
|
|
|
seca111
Leg Humper
Joined: 12 May 2003
Posts: 4778
Location: Franktown, Colorado
|
|
Posted:
Wed Apr 13, 2005 11:07 am Post subject: |
|
soup4you2 wrote:
Start off with a blank ruleset..
pass out all
block in all
then slowly add in more rules testing it as you go along.
sorry if i dont have the time to go into more detail.. but i have a lot to do right now..
good luck.
Thanks for the help even though you are busy.
Something must be wrong with the configuration and not the ruleset.
I set up the file as you stated
pass out all
block in all
I did a ipfstat -hi to verify that the new rules loaded and they did.
then I tried and sucessfully sent an email to myself from outside of the building, and ssh out to a remote box, and back into another box here. firewall didn't catch anything. |
|
|
|
|
|
|
|
seca111
Leg Humper
Joined: 12 May 2003
Posts: 4778
Location: Franktown, Colorado
|
|
Posted:
Wed Apr 13, 2005 1:24 pm Post subject: |
|
soup4you2 wrote:
a suggested setup would be
modem -> BSD Box (configured as a transparent bridge (ie.. an IP less box)) -> router/switch -> end users.
Now i have never setup a transparent bridge though IPF but i know it can be done. might wanna take a close look at this
http://www.obfuscation.org/ipf/ipf-howto.txt
or here for doing it in PF
http://ezine.daemonnews.org/200207/transpfobsd.html
I cannot do this as my phone lines use the same t1's I'm told that the router is the first thing that the lines need to hit. |
|
|
|
|
|
|
|
|
|
LWD 
FAQ 
Memberlist 
Usergroups 
Active Topics 
Register 
Profile 
Log in to check your private messages 
Log in 
Who is Online 
Image Gallery 
Chat 
Search 
