Ipv6 Filtering strange problem
This is a discussion on Ipv6 Filtering strange problem within the IPFilter forums, part of the System Security and Security Related category; This is a multi-part message in MIME format. ------_=_NextPart_001_01C62E67.98D3AEA8 Content-Type: text/plain; charset="us-ascii&...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
02-10-2006
|
|||
|
|||
Ipv6 Filtering strange problem
This is a multi-part message in MIME format.
------_=_NextPart_001_01C62E67.98D3AEA8 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Hello=20 I would like to thank Mr Laxman Amruth for help and analysing IPv6 filtering along with me. Little bit progress in configuring IPFilter for IPv6 Filtering. I was able to view IPv6 stats in "ipfstat" ouput . We have to insert "pfil" module on Network Interface with "inet6" option also. Something like #ifconfig ce3 inet6 modinsert pfil@1[ immedietly after "ip" stream] As soon as pfil module inserted the complete packtes passing through that Network Interface getting blocked. We suspect problem with IPv6 packet matching .. "ipfstat" output showing like below .. root@sf44ce22> ipfstat=20 bad packets: in 0 out 0 IPv6 packets: in 13829 out 6769 input packets: blocked 0 passed 13829 nomatch 1 counted 0 short 0 output packets: blocked 0 passed 6769 nomatch 0 counted 0 short 0 input packets logged: blocked 0 passed 0 output packets logged: blocked 0 passed 0 packets logged: input 0 output 0 log failures: input 0 output 0 fragment state(in): kept 0 lost 0 not fragmented 0 fragment state(out): kept 0 lost 0 not fragmented 0 packet state(in): kept 0 lost 0 packet state(out): kept 0 lost 0 ICMP replies: 0 TCP RSTs sent: 0 Invalid source(in): 0 Result cache hits(in): 5 (out): 0 IN Pullups succeeded: 0 failed: 13823 OUT Pullups succeeded: 0 failed: 6769 Fastroute successes: 0 failures: 0 TCP cksum fails(in): 0 (out): 0 IPF Ticks: 7377 Packet log flags set: (0) none ------------------------------------------------------------------------ ---------------------------------------- root@sf44ce22> ipfstat -6hio empty list for ipfilter(out) 0 block in log on ce3 proto tcp from any to 2106:22:188:252:0:66:1:4/64 port =3D ssh ------------------------------------------------------------------------ ------------------------------------------- root@sf44ce22> ndd /dev/pfil pfil_inet6 in function flags 7847a0e8 3 out function flags 7847a0e8 3 root@sf44ce22> ndd /dev/pfil qif_status ifname ill q OTHERQ ipmp num sap hl nr nw bad copy copyfail drop notip nodata notdata ce3 0x3000393f940 0x300296aa298 0x300296aa388 0x0 14 86dd 14 14865 7328 0 0 0 0 0 0 0 QIF2 0x0 0x3002965eb48 0x3002965ec38 0x0 2 8035 0 0 0 0 0 0 0 0 0 0 QIF1 0x0 0x30008cea820 0x30008cea910 0x0 1 806 0 2 13 0 0 0 0 0 0 0 root@sf44ce22>=20 Best Regards Pradeep Reddy=20 ------_=_NextPart_001_01C62E67.98D3AEA8 Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN"> <HTML> <HEAD> <META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; = charset=3Dus-ascii"> <META NAME=3D"Generator" CONTENT=3D"MS Exchange Server version = 6.5.7638.1"> <TITLE>Ipv6 Filtering strange problem </TITLE> </HEAD> <BODY> <!-- Converted from text/rtf format --> <P><FONT SIZE=3D2 FACE=3D"Arial">Hello </FONT> </P> <P><FONT SIZE=3D2 = FACE=3D"Arial">   ; &nbs= p; I would like to thank Mr Laxman Amruth for help = and analysing IPv6 filtering along with me.</FONT> </P> <P><FONT SIZE=3D2 FACE=3D"Arial">Little bit progress in configuring = IPFilter for IPv6 Filtering. I was able to view IPv6 stats in = "ipfstat" ouput .</FONT> </P> <P><FONT SIZE=3D2 FACE=3D"Arial">We have to insert "pfil" = module on Network Interface with "inet6" option also.</FONT> </P> <P><FONT SIZE=3D2 FACE=3D"Arial">Something = like #ifconfig ce3 inet6 modinsert pfil@1[ = immedietly after "ip" stream]</FONT> </P> <P><FONT SIZE=3D2 FACE=3D"Arial">As soon as pfil module inserted the = complete packtes passing through that Network Interface getting = blocked.</FONT> </P> <P><FONT SIZE=3D2 FACE=3D"Arial">We suspect problem with IPv6 packet = matching ..</FONT> </P> <P><FONT SIZE=3D2 FACE=3D"Arial">"ipfstat" output showing like = below ..</FONT> </P> <P><FONT SIZE=3D2 FACE=3D"Arial">root@sf44ce22> ipfstat </FONT> <BR><FONT SIZE=3D2 FACE=3D"Arial">bad = packets:  = ; in 0 out 0</FONT> <BR><FONT SIZE=3D2 FACE=3D"Arial"> IPv6 = packets: in 13829 = out 6769</FONT> <BR><FONT SIZE=3D2 FACE=3D"Arial"> input = packets: blocked 0 = passed 13829 nomatch 1 counted 0 short 0</FONT> <BR><FONT SIZE=3D2 FACE=3D"Arial">output = packets: blocked 0 = passed 6769 nomatch 0 counted 0 short 0</FONT> <BR><FONT SIZE=3D2 FACE=3D"Arial"> input packets logged: = blocked 0 passed 0</FONT> <BR><FONT SIZE=3D2 FACE=3D"Arial">output packets logged: blocked 0 = passed 0</FONT> <BR><FONT SIZE=3D2 FACE=3D"Arial"> packets = logged: input 0 output = 0</FONT> <BR><FONT SIZE=3D2 FACE=3D"Arial"> log = failures:   ; input 0 = output 0</FONT> <BR><FONT SIZE=3D2 FACE=3D"Arial">fragment = state(in): kept 0 lost 0 not = fragmented 0</FONT> <BR><FONT SIZE=3D2 FACE=3D"Arial">fragment state(out): = kept 0 lost 0 not fragmented 0</FONT> <BR><FONT SIZE=3D2 FACE=3D"Arial">packet = state(in): kept 0 lost = 0</FONT> <BR><FONT SIZE=3D2 FACE=3D"Arial">packet = state(out): kept 0 lost 0</FONT> <BR><FONT SIZE=3D2 FACE=3D"Arial">ICMP replies: = 0 TCP RSTs sent: 0</FONT> <BR><FONT SIZE=3D2 FACE=3D"Arial">Invalid = source(in): 0</FONT> <BR><FONT SIZE=3D2 FACE=3D"Arial">Result cache hits(in): = 5 (out): 0</FONT> <BR><FONT SIZE=3D2 FACE=3D"Arial">IN Pullups succeeded: = 0 failed: 13823</FONT> <BR><FONT SIZE=3D2 FACE=3D"Arial">OUT Pullups succeeded: = 0 failed: 6769</FONT> <BR><FONT SIZE=3D2 FACE=3D"Arial">Fastroute successes: = 0 = failures: 0</FONT> <BR><FONT SIZE=3D2 FACE=3D"Arial">TCP cksum fails(in): = 0 (out): 0</FONT> <BR><FONT SIZE=3D2 FACE=3D"Arial">IPF = Ticks: 7377</FONT> <BR><FONT SIZE=3D2 FACE=3D"Arial">Packet log flags set: (0)</FONT> <BR><FONT SIZE=3D2 = FACE=3D"Arial">   ; none</FONT> <BR><FONT SIZE=3D2 = FACE=3D"Arial">----------------------------------------------------------= ------------------------------------------------------</FONT> <BR><FONT SIZE=3D2 FACE=3D"Arial">root@sf44ce22> ipfstat -6hio</FONT> <BR><FONT SIZE=3D2 FACE=3D"Arial">empty list for ipfilter(out)</FONT> <BR><FONT SIZE=3D2 FACE=3D"Arial">0 block in log on ce3 proto tcp from = any to 2106:22:188:252:0:66:1:4/64 port =3D ssh</FONT> <BR><FONT SIZE=3D2 = FACE=3D"Arial">----------------------------------------------------------= ---------------------------------------------------------</FONT> </P> <P><FONT SIZE=3D2 FACE=3D"Arial">root@sf44ce22> ndd /dev/pfil = pfil_inet6</FONT> <BR><FONT SIZE=3D2 FACE=3D"Arial">in</FONT> <BR><FONT SIZE=3D2 = FACE=3D"Arial">function &nb sp; = flags</FONT> <BR><FONT SIZE=3D2 = FACE=3D"Arial">7847a0e8 &nb sp; = 3</FONT> <BR><FONT SIZE=3D2 FACE=3D"Arial">out</FONT> <BR><FONT SIZE=3D2 = FACE=3D"Arial">function &nb sp; = flags</FONT> <BR><FONT SIZE=3D2 = FACE=3D"Arial">7847a0e8 &nb sp; = 3</FONT> </P> <P><FONT SIZE=3D2 FACE=3D"Arial">root@sf44ce22> ndd /dev/pfil = qif_status</FONT> <BR><FONT SIZE=3D2 FACE=3D"Arial">ifname ill q OTHERQ ipmp num sap hl nr = nw bad copy copyfail drop notip nodata notdata</FONT> <BR><FONT SIZE=3D2 FACE=3D"Arial">ce3 0x3000393f940 0x300296aa298 = 0x300296aa388 0x0 14 86dd 14 14865 7328 0 0 0 0 0 0 0</FONT> <BR><FONT SIZE=3D2 FACE=3D"Arial">QIF2 0x0 0x3002965eb48 0x3002965ec38 = 0x0 2 8035 0 0 0 0 0 0 0 0 0 0</FONT> <BR><FONT SIZE=3D2 FACE=3D"Arial">QIF1 0x0 0x30008cea820 0x30008cea910 = 0x0 1 806 0 2 13 0 0 0 0 0 0 0</FONT> <BR><FONT SIZE=3D2 FACE=3D"Arial">root@sf44ce22> </FONT> </P> <P><FONT SIZE=3D2 FACE=3D"Arial">Best Regards</FONT> <BR><FONT SIZE=3D2 FACE=3D"Arial">Pradeep Reddy </FONT> </P> </BODY> </HTML> ------_=_NextPart_001_01C62E67.98D3AEA8-- 
|
Linear Mode
