Re: ipfilter ident issue
This is a discussion on Re: ipfilter ident issue within the IPFilter forums, part of the System Security and Security Related category; On 12/9/05, Phil Dibowitz <phil@ipom.com> wrote: > As others have pointed out, your mail ...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
12-09-2005
|
|||
|
|||
Re: ipfilter ident issue
On 12/9/05, Phil Dibowitz <phil@ipom.com> wrote:
> As others have pointed out, your mail was formated poorly... I apologize for the formatting. I post to a couple of other list serves almost daily and have never had a formatting problem before now. I'm not seeing the issue on my end, all the line breaks appear fine. Looking at my gmail settings I discovered I can change from UTF-8 to 'default formatting', whatever that is. Does this second attempt appear to be formated any better? #State your problem very clearly. I am trying to get my ipflter-based firewall to allow ident access on a pc on my private network. I can telnet to port 113 from a remote host, but ident cannot reply back even though my incoming rule has keep state defined. I've read docs, man pages, mailing list archives, and google'd for a week. I've tried everything I've seen. I'm not a network guru by any means. #Give all error messages. I don't really have any error messages, other than the fact that when I login to any irc server my ident does not work. I was previously using an exclusive ipfw-based firewall. I recently switched to ipfilter and am trying to get an inclusive ruleset worked up. I have most everything working at this point, except ident. #Give all information #Include as much information as possible. Start with: # uname -a > uname -a FreeBSD gateway.localdomain 6.0-STABLE FreeBSD 6.0-STABLE #4: Fri Dec 2 18:50:10 CST 2005 root@gateway.localdomain:/usr/src/sys/i386/compile/MYKERNEL i386 In addition here is my MYKERNAL config: > cat MYKERNEL machine i386 cpu I586_CPU ident MYKERNEL options SCHED_4BSD # 4BSD scheduler options PREEMPTION # Enable kernel thread preemption options INET # InterNETworking options FFS # Berkeley Fast Filesystem options SOFTUPDATES # Enable FFS soft updates support options PROCFS # Process filesystem (requires PSEUDOFS) options PSEUDOFS # Pseudo-filesystem framework options COMPAT_43 # Compatible with BSD 4.3 [KEEP THIS!] options COMPAT_FREEBSD4 # Compatible with FreeBSD4 options COMPAT_FREEBSD5 # Compatible with FreeBSD5 options KTRACE # ktrace(1) support options SYSVSHM # SYSV-style shared memory options SYSVMSG # SYSV-style message queues options SYSVSEM # SYSV-style semaphores options _KPOSIX_PRIORITY_SCHEDULING # POSIX P1003_1B real-time extensions options KBD_INSTALL_CDEV # install a CDEV entry in /dev options AHC_REG_PRETTY_PRINT # Print register bitfields in debug # output. Adds ~128k to driver. options AHD_REG_PRETTY_PRINT # Print register bitfields in debug # output. Adds ~215k to driver. options ADAPTIVE_GIANT # Giant mutex is adaptive. device apic # I/O APIC device eisa device pci device fdc device ata device atadisk # ATA disk drives options ATA_STATIC_ID # Static device numbering device atkbdc # AT keyboard controller device atkbd # AT keyboard device psm # PS/2 mouse device vga # VGA video card driver device splash # Splash screen and screen saver support device sc device sio # 8250, 16[45]50 based serial ports device miibus # MII bus support device dc # DEC/Intel 21143 and various workalikes device tl # Texas Instruments ThunderLAN device loop # Network loopback device random # Entropy device device ether # Ethernet support device pty # Pseudo-ttys (telnet etc) device bpf # Berkeley packet filter options IPFIREWALL options IPFIREWALL_VERBOSE options IPFIREWALL_VERBOSE_LIMIT=5 #options IPFIREWALL_DEFAULT_TO_ACCEPT options IPDIVERT options DUMMYNET options HZ=1000 options IPFILTER options IPFILTER_LOG options IPFILTER_DEFAULT_BLOCK # isainfo -vk > isainfo -vk -su: isainfo: command not found # ifconfig -a > ifconfig -a dc0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 options=8<VLAN_MTU> inet 24.183.200.193 netmask 0xfffffc00 broadcast 255.255.255.255 ether 00:a0:cc:29:2c:8e media: Ethernet autoselect (100baseTX <full-duplex>) status: active tl0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 inet 10.0.0.1 netmask 0xff000000 broadcast 10.255.255.255 ether 00:80:5f:83:36:ff media: Ethernet autoselect (100baseTX <full-duplex>) status: active lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384 inet 127.0.0.1 netmask 0xff000000 # netstat -rn > netstat -rn Routing tables Internet: Destination Gateway Flags Refs Use Netif Expire default 24.183.200.1 UGS 0 150194 dc0 10 link#2 UC 0 0 tl0 10.0.0.2 00:a0:cc:27:82:fc UHLW 1 9059 tl0 10.0.0.3 00:e0:81:30:ae:45 UHLW 1 12959 tl0 10.0.0.4 00:50:fc:9c:bb:47 UHLW 1 2 tl0 24.183.200/22 link#1 UC 0 0 dc0 24.183.200.1 00:05:00:e3:dc:7a UHLW 2 0 dc0 127.0.0.1 127.0.0.1 UH 0 66 lo0 # netstat -i > netstat -i Name Mtu Network Address Ipkts Ierrs Opkts Oerrs Coll dc0 1500 <Link#1> 00:a0:cc:29:2c:8e 5369389 8 119212 0 0 dc0 1500 24.183.200/22 24-183-200-193.dh 29352 - 738 - - tl0 1500 <Link#2> 00:80:5f:83:36:ff 127064 0 131938 0 0 tl0 1500 10 gateway 4515 - 6727 - - lo0 16384 <Link#3> 66 0 66 0 0 lo0 16384 your-net localhost 66 - 66 - - # netstat -s -P ip > netstat -s -P ip netstat: illegal option -- P > netstat -s ip tcp: 4370 packets sent 4294 data packets (513446 bytes) 0 data packets (0 bytes) retransmitted 0 data packets unnecessarily retransmitted 0 resends initiated by MTU discovery 62 ack-only packets (26 delayed) 0 URG only packets 0 window probe packets 0 window update packets 14 control packets 32172 packets received 4017 acks (for 513461 bytes) 5 duplicate acks 0 acks for unsent data 975 packets (55076 bytes) received in-sequence 0 completely duplicate packets (0 bytes) 0 old duplicate packets 0 packets with some dup. data (0 bytes duped) 0 out-of-order packets (0 bytes) 0 packets (0 bytes) of data after window 0 window probes 0 window update packets 0 packets received after close 0 discarded for bad checksums 0 discarded for bad header offset fields 0 discarded because packet too short 5 connection requests 6 connection accepts 0 bad connection attempts 0 listen queue overflows 0 ignored RSTs in the windows 11 connections established (including accepts) 9 connections closed (including 0 drops) 5 connections updated cached RTT on close 5 connections updated cached RTT variance on close 0 connections updated cached ssthresh on close 0 embryonic connections dropped 4017 segments updated rtt (of 3999 attempts) 0 retransmit timeouts 0 connections dropped by rexmit timeout 0 persist timeouts 0 connections dropped by persist timeout 0 keepalive timeouts 0 keepalive probes sent 0 connections dropped by keepalive 719 correct ACK header predictions 585 correct data packet header predictions 11 syncache entries added 10 retransmitted 9 dupsyn 0 dropped 6 completed 0 bucket overflow 0 cache overflow 2 reset 3 stale 0 aborted 0 badack 0 unreach 0 zone failures 0 cookies sent 0 cookies received 0 SACK recovery episodes 0 segment rexmits in SACK recovery episodes 0 byte rexmits in SACK recovery episodes 0 SACK options (SACK blocks) received 0 SACK options (SACK blocks) sent 0 SACK scoreboard overflow udp: 1773 datagrams received 0 with incomplete header 0 with bad data length field 0 with bad checksum 264 with no checksum 1029 dropped due to no socket 6 broadcast/multicast datagrams dropped due to no socket 0 dropped due to full socket buffers 0 not for hashed pcb 738 delivered 745 datagrams output ip: 302638 total packets received 0 bad header checksums 0 with size smaller than minimum 0 with data size < data length 0 with ip length > max ip packet size 0 with header length < data size 0 with data length < header length 0 with bad options 0 with incorrect version number 0 fragments received 0 fragments dropped (dup or out of space) 0 fragments dropped after timeout 0 packets reassembled ok 33994 packets for this host 7 packets for unknown/unsupported protocol 242208 packets forwarded (0 packets fast forwarded) 2461 packets not forwardable 0 packets received for unknown multicast group 0 redirects sent 36204 packets sent from this host 0 packets sent with fabricated ip header 0 output packets dropped due to no bufs, etc. 0 output packets discarded due to no route 0 output datagrams fragmented 0 fragments created 0 datagrams that can't be fragmented 0 tunneling packets that can't find gif 0 datagrams with bad address in header icmp: 3490 calls to icmp_error 1 error not generated in response to an icmp message Output histogram: echo reply: 46 destination unreachable: 3489 0 messages with bad code fields 0 messages < minimum length 0 bad checksums 0 messages with bad length 0 multicast echo requests ignored 0 multicast timestamp requests ignored Input histogram: destination unreachable: 6 echo: 46 time exceeded: 1 46 message responses generated 0 invalid return addresses 0 no return routes ICMP address mask responses are disabled igmp: 0 messages received 0 messages received with too few bytes 0 messages received with bad checksum 0 membership queries received 0 membership queries received with invalid field(s) 0 membership reports received 0 membership reports received with invalid field(s) 0 membership reports received for groups to which we belong 0 membership reports sent Warning: sysctl(net.inet6.ip6.rip6stats): No such file or directory # ipf -V > ipf -V ipf: IP Filter: v4.1.8 (416) Kernel: IP Filter: v4.1.8 Running: yes Log Flags: 0 = none set Default: pass all, Logging: available Active list: 0 Feature mask: 0xa # ipfstat > ipfstat bad packets: in 0 out 0 IPv6 packets: in 0 out 0 input packets: blocked 23784 passed 278896 nomatch 27632 counted 0 short 0 output packets: blocked 31074 passed 250023 nomatch 1 counted 0 short 0 input packets logged: blocked 401 passed 0 output packets logged: blocked 0 passed 0 packets logged: input 0 output 0 log failures: input 0 output 0 fragment state(in): kept 0 lost 0 not fragmented 0 fragment state(out): kept 0 lost 0 not fragmented 0 packet state(in): kept 2311 lost 0 packet state(out): kept 4819 lost 31074 ICMP replies: 0 TCP RSTs sent: 0 Invalid source(in): 0 Result cache hits(in): 15839 (out): 4137 IN Pullups succeeded: 26 failed: 0 OUT Pullups succeeded: 3508 failed: 0 Fastroute successes: 0 failures: 0 TCP cksum fails(in): 0 (out): 0 IPF Ticks: 179980 Packet log flags set: (0) none # ipfstat -io > ipfstat -io pass out quick on tl0 all pass out quick on lo0 all pass out quick on dc0 proto tcp from any to any keep state pass out quick on dc0 proto udp from any to any keep state pass out quick on dc0 proto icmp from any to any keep state pass out quick on dc0 proto tcp from any to 24.159.64.23/32 port = domain flags S/FSRPAU keep state pass out quick on dc0 proto udp from any to 24.159.64.23/32 port = domain keep state pass out quick on dc0 proto tcp from any to 24.159.64.21/32 port = domain flags S/FSRPAU keep state pass out quick on dc0 proto udp from any to 24.159.64.21/32 port = domain keep state pass out quick on dc0 proto tcp from any to 24.159.64.20/32 port = domain flags S/FSRPAU keep state pass out quick on dc0 proto udp from any to 24.159.64.20/32 port = domain keep state pass out quick on dc0 proto udp from any to any port = bootps keep state pass out quick on dc0 proto tcp from any to any port = http flags S/FSRPAU keep state pass out quick on dc0 proto tcp from any to any port = https flags S/FSRPAU keep state pass out quick on dc0 proto tcp from any to any port = imap flags S/FSRPAU keep state pass out quick on dc0 proto tcp from any to any port = pop3 flags S/FSRPAU keep state pass out quick on dc0 proto tcp from any to any port = smtp flags S/FSRPAU keep state pass out quick on dc0 proto tcp from any to any port = time flags S/FSRPAU keep state pass out quick on dc0 proto tcp from any to any port = nntp flags S/FSRPAU keep state pass out quick proto tcp from any port > 1023 to any port = ftp flags S/FSRPAU keep state pass out quick proto tcp from any port > 1023 to any port > 1023 flags S/FSRPAU keep state pass out quick on dc0 proto tcp from any to any port = ssh flags S/FSRPAU keep state pass out quick on dc0 proto tcp from any to any port = telnet flags S/FSRPAU keep state pass out quick on dc0 proto tcp from any to any port = cvsup flags S/FSRPAU keep state pass out quick on dc0 proto tcp from any to any port = ircd flags S/FSRPAU keep state pass out quick on dc0 proto icmp from any to any icmp-type echo keep state pass out quick on dc0 proto icmp from any to any icmp-type echorep keep state pass out quick on dc0 proto icmp from any to any icmp-type timex keep state pass out quick on dc0 proto tcp from any to any port = nicname flags S/FSRPAU keep state block out log first quick on dc0 all pass in quick on tl0 all pass in quick on lo0 all block in quick on dc0 from 192.168.0.0/16 to any block in quick on dc0 from 172.16.0.0/12 to any block in quick on dc0 from 10.0.0.0/8 to any block in quick on dc0 from 127.0.0.0/8 to any block in quick on dc0 from 0.0.0.0/8 to any block in quick on dc0 from 169.254.0.0/16 to any block in quick on dc0 from 192.0.2.0/24 to any block in quick on dc0 from 204.152.64.0/23 to any block in quick on dc0 from 224.0.0.0/3 to any block in log first quick on dc0 from any to any with frag block in log first quick on dc0 proto tcp from any to any with short block in log first quick on dc0 from any to any with opt lsrr block in log first quick on dc0 from any to any with opt ssrr block in log first quick on dc0 proto tcp from any to any flags FPU/FSRPAU block in log first quick on dc0 from any to any with ipopts block in quick on dc0 proto icmp from any to any icmp-type echo block in log first quick on dc0 proto tcp/udp from any to any port = netbios-ns block in log first quick on dc0 proto tcp/udp from any to any port = netbios-dgm block in log first quick on dc0 proto tcp/udp from any to any port = netbios-ssn block in log first quick on dc0 proto tcp/udp from any to any port = hosts2-ns pass in quick on dc0 proto udp from 10.160.0.1/32 to any port = bootpc keep state pass in quick on dc0 proto tcp from any to any port = http flags S/FSRPAU keep state pass in quick on dc0 proto tcp from any to any port = auth flags S/FSRPAU keep state pass in quick on dc0 proto tcp from any to any port = 2217 flags S/FSRPAU keep state pass in quick on dc0 proto tcp from 216.19.216.16/32 to any port = dec-notes flags S/FSRPAU keep state pass in quick on dc0 proto tcp from 216.19.216.16/32 to any port = search flags S/FSRPAU keep state pass in quick on dc0 proto tcp from 216.19.216.16/32 to any port = raid-cc flags S/FSRPAU keep state pass in quick on dc0 proto tcp from 216.19.216.16/32 to any port = ttyinfo flags S/FSRPAU keep state pass in quick on dc0 proto tcp from 216.19.216.16/32 to any port = raid-am flags S/FSRPAU keep state pass in quick on dc0 proto tcp from 216.19.216.16/32 to any port = troff flags S/FSRPAU keep state pass in quick on dc0 proto tcp from 216.19.216.16/32 to any port = cypress flags S/FSRPAU keep state pass in quick on dc0 proto tcp from 216.19.216.16/32 to any port = bootserver flags S/FSRPAU keep state pass in quick on dc0 proto tcp from 216.19.216.16/32 to any port = cypress-stat flags S/FSRPAU keep state pass in quick on dc0 proto tcp from 216.19.216.16/32 to any port = terminaldb flags S/FSRPAU keep state pass in quick on dc0 proto tcp from 216.19.216.16/32 to any port = whosockami flags S/FSRPAU keep state pass in quick on dc0 proto tcp from 216.19.216.16/32 to any port = xinupageserver flags S/FSRPAU keep state pass in quick on dc0 proto tcp from 67.15.155.13/32 to any port = dec-notes flags S/FSRPAU keep state pass in quick on dc0 proto tcp from 67.15.155.13/32 to any port = search flags S/FSRPAU keep state pass in quick on dc0 proto tcp from 67.15.155.13/32 to any port = raid-cc flags S/FSRPAU keep state pass in quick on dc0 proto tcp from 67.15.155.13/32 to any port = ttyinfo flags S/FSRPAU keep state pass in quick on dc0 proto tcp from 67.15.155.13/32 to any port = raid-am flags S/FSRPAU keep state pass in quick on dc0 proto tcp from 67.15.155.13/32 to any port = troff flags S/FSRPAU keep state pass in quick on dc0 proto tcp from 67.15.155.13/32 to any port = cypress flags S/FSRPAU keep state pass in quick on dc0 proto tcp from 67.15.155.13/32 to any port = bootserver flags S/FSRPAU keep state pass in quick on dc0 proto tcp from 67.15.155.13/32 to any port = cypress-stat flags S/FSRPAU keep state pass in quick on dc0 proto tcp from 67.15.155.13/32 to any port = terminaldb flags S/FSRPAU keep state pass in quick on dc0 proto tcp from 67.15.155.13/32 to any port = whosockami flags S/FSRPAU keep state pass in quick on dc0 proto tcp from 67.15.155.13/32 to any port = xinupageserver flags S/FSRPAU keep state block in log first quick on dc0 all # ipnat -slv I doubt you really want to see all of this, it was very long. Here is a good chunck of it: > ipnat -slv mapped in 124643 out 119264 added 7800 expired 0 no memory 0 bad nat 0 inuse 452 rules 16 wilds 0 table 0xbfbfeb7c list 0xc1867000 List of active MAP/Redirect filters: rdr dc0 0.0.0.0/0 port 80 -> 10.0.0.2 port 80 tcp rdr dc0 0.0.0.0/0 port 113 -> 10.0.0.2 port 113 tcp rdr dc0 0.0.0.0/0 port 2010 -> 10.0.0.2 port 2010 tcp rdr dc0 0.0.0.0/0 port 2011 -> 10.0.0.2 port 2011 tcp rdr dc0 0.0.0.0/0 port 2012 -> 10.0.0.2 port 2012 tcp rdr dc0 0.0.0.0/0 port 2013 -> 10.0.0.2 port 2013 tcp rdr dc0 0.0.0.0/0 port 2014 -> 10.0.0.2 port 2014 tcp rdr dc0 0.0.0.0/0 port 2015 -> 10.0.0.2 port 2015 tcp rdr dc0 0.0.0.0/0 port 2016 -> 10.0.0.2 port 2016 tcp rdr dc0 0.0.0.0/0 port 2017 -> 10.0.0.2 port 2017 tcp rdr dc0 0.0.0.0/0 port 2018 -> 10.0.0.2 port 2018 tcp rdr dc0 0.0.0.0/0 port 2019 -> 10.0.0.2 port 2019 tcp rdr dc0 0.0.0.0/0 port 2020 -> 10.0.0.2 port 2020 tcp rdr dc0 0.0.0.0/0 port 3333 -> 10.0.0.2 port 3333 tcp map dc0 0.0.0.0/0 -> 0.0.0.0/32 portmap tcp/udp auto map dc0 0.0.0.0/0 -> 0.0.0.0/32 List of active sessions: MAP 24.183.200.193 54016 <- -> 24.183.200.193 55040 [24.159.64.23 53] age 181244 use 0 sumd 0x400/0x400 pr 17 bkt 735/739 flags 2 ifp dc0,dc0 bytes 163/74 pkts 1/1 ipsumd 0 MAP 24.183.200.193 53567 <- -> 24.183.200.193 54591 [24.159.64.23 53] age 181239 use 0 sumd 0x400/0x400 pr 17 bkt 485/489 flags 2 ifp dc0,dc0 bytes 230/73 pkts 1/1 ipsumd 0 MAP 24.183.200.193 60321 <- -> 24.183.200.193 61345 [24.159.64.23 53] age 181239 use 0 sumd 0x400/0x400 pr 17 bkt 1035/1039 flags 2 ifp dc0,dc0 bytes 204/71 pkts 1/1 ipsumd 0 MAP 24.183.200.193 60734 <- -> 24.183.200.193 61758 [24.159.64.23 53] age 181237 use 0 sumd 0x400/0x400 pr 17 bkt 257/261 flags 2 ifp dc0,dc0 bytes 230/73 pkts 1/1 ipsumd 0 MAP 24.183.200.193 59577 <- -> 24.183.200.193 60601 [24.159.64.23 53] age 181237 use 0 sumd 0x400/0x400 pr 17 bkt 1035/1039 flags 2 ifp dc0,dc0 bytes 201/72 pkts 1/1 ipsumd 0 MAP 24.183.200.193 54448 <- -> 24.183.200.193 55472 [24.159.64.23 53] age 181237 use 0 sumd 0x400/0x400 pr 17 bkt 758/762 flags 2 ifp dc0,dc0 bytes 230/73 pkts 1/1 ipsumd 0 MAP 24.183.200.193 51915 <- -> 24.183.200.193 52939 [24.159.64.23 53] age 181237 use 0 sumd 0x400/0x400 pr 17 bkt 1519/1523 flags 2 ifp dc0,dc0 bytes 163/74 pkts 1/1 ipsumd 0 And here are my rules: > cat /etc/ipf.rules ########################################### # no restrictions on inside lan interface # ########################################### pass out quick on tl0 all pass in quick on tl0 all ######################################### # no restrictions on loopback interface # ######################################### pass in quick on lo0 all pass out quick on lo0 all #################### # keep state rules # #################### pass out quick on dc0 proto tcp all keep state pass out quick on dc0 proto udp all keep state pass out quick on dc0 proto icmp all keep state #################### # outbound section # #################### ######################################## # allow out access to isp's dns server # ######################################## pass out quick on dc0 proto tcp from any to 24.159.64.23 port = 53 flags S keep state pass out quick on dc0 proto udp from any to 24.159.64.23 port = 53 keep state pass out quick on dc0 proto tcp from any to 24.159.64.21 port = 53 flags S keep state pass out quick on dc0 proto udp from any to 24.159.64.21 port = 53 keep state pass out quick on dc0 proto tcp from any to 24.159.64.20 port = 53 flags S keep state pass out quick on dc0 proto udp from any to 24.159.64.20 port = 53 keep state ######################################### # allow out access to isp's dhcp server # ######################################### pass out quick on dc0 proto udp from any to any port = 67 keep state ################# # allow out www # ################# pass out quick on dc0 proto tcp from any to any port = 80 flags S keep state ######################## # allow out secure www # ######################## pass out quick on dc0 proto tcp from any to any port = 443 flags S keep state ################### # allow out email # ################### pass out quick on dc0 proto tcp from any to any port = 143 flags S keep state pass out quick on dc0 proto tcp from any to any port = 110 flags S keep state pass out quick on dc0 proto tcp from any to any port = 25 flags S keep state ################# # allow out ntp # ################# pass out quick on dc0 proto tcp from any to any port = 37 flags S keep state ################## # allow out nntp # ################## pass out quick on dc0 proto tcp from any to any port = 119 flags S keep state ######################### # allow out passive ftp # ######################### pass out quick proto tcp from any port > 1023 to any port = 21 flags S keep state pass out quick proto tcp from any port > 1023 to any port > 1023 flags S keep state ################# # allow out ssh # ################# pass out quick on dc0 proto tcp from any to any port = 22 flags S keep state #################### # allow out telnet # #################### pass out quick on dc0 proto tcp from any to any port = 23 flags S keep state ################### # allow out cvsup # ################### pass out quick on dc0 proto tcp from any to any port = 5999 flags S keep state ################# # allow out irc # ################# pass out quick on dc0 proto tcp from any to any port = 6667 flags S keep state ################## # allow out ping # ################## pass out quick on dc0 proto icmp from any to any icmp-type 8 keep state pass out quick on dc0 proto icmp from any to any icmp-type 0 keep state pass out quick on dc0 proto icmp from any to any icmp-type 11 keep state ################### # allow out whois # ################### pass out quick on dc0 proto tcp from any to any port = 43 flags S keep state ################################################## # # block and log everything else trying to get out # ################################################## # block out log first quick on dc0 all ######################## # end outbound section # ######################## ################### # inbound section # ################### ############################################## # block all inbound non-routable or reserved # ############################################## block in quick on dc0 from 192.168.0.0/16 to any block in quick on dc0 from 172.16.0.0/12 to any block in quick on dc0 from 10.0.0.0/8 to any block in quick on dc0 from 127.0.0.0/8 to any block in quick on dc0 from 0.0.0.0/8 to any block in quick on dc0 from 169.254.0.0/16 to any block in quick on dc0 from 192.0.2.0/24 to any block in quick on dc0 from 204.152.64.0/23 to any block in quick on dc0 from 224.0.0.0/3 to any ############### # block frags # ############### block in log first quick on dc0 all with frags ########################### # block short tcp packets # ########################### block in log first quick on dc0 proto tcp all with short ############################### # block source routed packets # ############################### block in log first quick on dc0 all with opt lsrr block in log first quick on dc0 all with opt ssrr ############################################## # block and log nmap OS fingerprint attempts # ############################################## block in log first quick on dc0 proto tcp from any to any flags FUP ####################################### # block anything with special options # ####################################### block in log first quick on dc0 all with ipopts ###################### # block public pings # ###################### block in quick on dc0 proto icmp all icmp-type 8 ################# # block netbios # ################# block in log first quick on dc0 proto tcp/udp from any to any port = netbios-ns block in log first quick on dc0 proto tcp/udp from any to any port = netbios-dgm block in log first quick on dc0 proto tcp/udp from any to any port = netbios-ssn ####################################### # block ms windows hosts2 name server # ####################################### block in log first quick on dc0 proto tcp/udp from any to any port = hosts2-ns ############################## # allow in isp's dhcp server # ############################## pass in quick on dc0 proto udp from 10.160.0.1 to any port = 68 keep state ################ # allow in www # ################ pass in quick on dc0 proto tcp from any to any port = 80 flags S keep state ################## # allow in ident # ################## pass in quick on dc0 proto tcp from any to any port = 113 flags S keep state ############################# # allow in ssh on port 2217 # ############################# pass in quick on dc0 proto tcp from any to any port = 2217 flags S keep state ############################################## # allow sheeba and past0r to connect to jane # ############################################## pass in quick on dc0 proto tcp from 216.19.216.16 to any port = 3333 flags S keep state pass in quick on dc0 proto tcp from 216.19.216.16 to any port = 2010 flags S keep state pass in quick on dc0 proto tcp from 216.19.216.16 to any port = 2011 flags S keep state pass in quick on dc0 proto tcp from 216.19.216.16 to any port = 2012 flags S keep state pass in quick on dc0 proto tcp from 216.19.216.16 to any port = 2013 flags S keep state pass in quick on dc0 proto tcp from 216.19.216.16 to any port = 2014 flags S keep state pass in quick on dc0 proto tcp from 216.19.216.16 to any port = 2015 flags S keep state pass in quick on dc0 proto tcp from 216.19.216.16 to any port = 2016 flags S keep state pass in quick on dc0 proto tcp from 216.19.216.16 to any port = 2017 flags S keep state pass in quick on dc0 proto tcp from 216.19.216.16 to any port = 2018 flags S keep state pass in quick on dc0 proto tcp from 216.19.216.16 to any port = 2019 flags S keep state pass in quick on dc0 proto tcp from 216.19.216.16 to any port = 2020 flags S keep state pass in quick on dc0 proto tcp from 67.15.155.13 to any port = 3333 flags S keep state pass in quick on dc0 proto tcp from 67.15.155.13 to any port = 2010 flags S keep state pass in quick on dc0 proto tcp from 67.15.155.13 to any port = 2011 flags S keep state pass in quick on dc0 proto tcp from 67.15.155.13 to any port = 2012 flags S keep state pass in quick on dc0 proto tcp from 67.15.155.13 to any port = 2013 flags S keep state pass in quick on dc0 proto tcp from 67.15.155.13 to any port = 2014 flags S keep state pass in quick on dc0 proto tcp from 67.15.155.13 to any port = 2015 flags S keep state pass in quick on dc0 proto tcp from 67.15.155.13 to any port = 2016 flags S keep state pass in quick on dc0 proto tcp from 67.15.155.13 to any port = 2017 flags S keep state pass in quick on dc0 proto tcp from 67.15.155.13 to any port = 2018 flags S keep state pass in quick on dc0 proto tcp from 67.15.155.13 to any port = 2019 flags S keep state pass in quick on dc0 proto tcp from 67.15.155.13 to any port = 2020 flags S keep state ################################# # block and log everything else # ################################# block in log first quick on dc0 all ####################### # end inbound section # ####################### > cat /etc/ipnat.rules ######################## # redirects inside lan # ######################## rdr dc0 0.0.0.0/0 port 80 -> 10.0.0.2 port 80 rdr dc0 0.0.0.0/0 port 113 -> 10.0.0.2 port 113 rdr dc0 0.0.0.0/0 port 2010 -> 10.0.0.2 port 2010 rdr dc0 0.0.0.0/0 port 2011 -> 10.0.0.2 port 2011 rdr dc0 0.0.0.0/0 port 2012 -> 10.0.0.2 port 2012 rdr dc0 0.0.0.0/0 port 2013 -> 10.0.0.2 port 2013 rdr dc0 0.0.0.0/0 port 2014 -> 10.0.0.2 port 2014 rdr dc0 0.0.0.0/0 port 2015 -> 10.0.0.2 port 2015 rdr dc0 0.0.0.0/0 port 2016 -> 10.0.0.2 port 2016 rdr dc0 0.0.0.0/0 port 2017 -> 10.0.0.2 port 2017 rdr dc0 0.0.0.0/0 port 2018 -> 10.0.0.2 port 2018 rdr dc0 0.0.0.0/0 port 2019 -> 10.0.0.2 port 2019 rdr dc0 0.0.0.0/0 port 2020 -> 10.0.0.2 port 2020 rdr dc0 0.0.0.0/0 port 3333 -> 10.0.0.2 port 3333 ############# # basic nat # ############# map dc0 0/0 -> 0/32 portmap tcp/udp auto map dc0 0/0 -> 0/32 -- Greg Donald Zend Certified Engineer MySQL Core Certification http://destiney.com/ 
|
 |
«
Previous Thread
|
Next Thread
»
| Thread Tools | |
| Display Modes | |
Linear Mode
|
|
All times are GMT +1. The time now is 02:38 PM.
