Incoming RST being blocked even though it is allowd by IPF rule

#1 (**permalink**) 07-25-2007

Was: IPFilter 4.1.13 on Solaris 8 ... What am I missing? ... Getting
closer ... Maybe?

My trusted local hosts being blocked still prohibits me from
iplementing a much-needed IPFilter filrewall.Â*Â*
Â*Â*
Test scenario:Â*Â*
Â* 1) NIS+ client with IPF firewall - no unexpected blocks reported in
ipmonlogÂ*Â*
Â* 2) NIS+ replica with IPF firewall, 123.456.70.43, blocks packets from
NIS+ master, 123.456.70.11,Â*Â*
Â* (as shown below) when NIS+ master executes "nisping -Ca" to
syncronize replica.Â*Â*
Â*Â*
ipmonlog:Â*Â*
23/07/2007 13:55:39.356410 2x eri0 @0:69 b 123.456.70.11,32772 ->
123.456.70.43,47736 PR tcp len 20 40 -R INÂ*
23/07/2007 13:55:44.162312 eri0 @0:69 b 123.456.70.11,32772 ->
123.456.70.43,47736 PR tcp len 20 40 -R INÂ*
23/07/2007 13:55:53.782511 eri0 @0:69 b 123.456.70.11,32772 ->
123.456.70.43,47736 PR tcp len 20 40 -R INÂ*
Â*
Below, refer to the ipstat display and the applicable ipf rules.Â*Â*
Â*
The packets are blocked as described above with or w/o rule 43. Rules
41-45, 48-52,Â*
and 55-59 were myÂ*attempt to allow know flags (from prevous tests) to
be passed.Â*
Â*
Rule 43:Â*
@43 pass in quick proto tcp from 123.456.70.0/26 to any flags R/FSRPAU
keep state keep fragsÂ*
Â*
Why didn't rule 43 allow these packets to be passed?Â*
Â*
Again, I hope that you will point out what I am missing.Â*Â*
Â*Â*
Charles

ipf.conf:
....
pass in quick proto tcp from 123.456.70.0/26 to any
keep frags keep state
pass in quick proto tcp from 123.456.70.0/26 to any flags S
keep frags keep state
pass in quick proto tcp from 123.456.70.0/26 to any flags A
keep frags keep state
pass in quick proto tcp from 123.456.70.0/26 to any flags R
keep frags keep state
pass in quick proto tcp from 123.456.70.0/26 to any flags AS
keep frags keep state
pass in quick proto tcp from 123.456.70.0/26 to any flags AF
keep frags keep state
pass in quick proto udp from 123.456.70.0/26 to any keep state
....Â*Â*
Â*Â*
ipfstat -inÂ*
@1 block in quick proto udp from any to 123.456.71.255/32 port = 631Â*
@2 block in quick proto udp from any to 123.456.71.255/32 port = 137Â*
@3 block in quick proto udp from any to 123.456.71.255/32 port = 138Â*
@4 block in quick proto udp from any to 123.456.71.255/32 port = 139Â*
@5 block in quick proto udp from any to 255.255.255.255/32Â*
@6 block in quick proto tcp from any to any port = 135Â*
@7 block in quick proto udp from any to any port = 137Â*
@8 block in quick proto udp from any to any port = 138Â*
@9 block in quick proto tcp from any to any port = 139Â*
@10 block in quick proto udp from any to any port = 1026Â*
@11 block in quick proto udp from any to any port = 1027Â*
@12 block in quick proto 2 from any to 224.0.0.1/32Â*
@13 block in quick proto tcp/udp from any to any port = 445Â*
@14 block in quick proto tcp/udp from any to any port = 1433Â*
@15 block in quick proto tcp/udp from any to any port = 1434Â*
@16 block in quick proto tcp/udp from any to any port = 4899Â*
@17 block in quick proto tcp/udp from any to any port = 3306Â*
@18 pass in quick proto tcp from 123.456.68.1/32 to any keep state keep
fragsÂ*
@19 pass in quick proto udp from 123.456.68.1/32 to any keep stateÂ*
@20 pass in quick proto tcp from 246.82.1.201/32 to any keep state keep
fragsÂ*
@21 pass in quick proto udp from 246.82.1.201/32 to any keep stateÂ*
@22 pass in quick proto tcp from 246.82.1.202/32 to any keep state keep
fragsÂ*
@23 pass in quick proto udp from 246.82.1.202/32 to any keep stateÂ*
@24 pass in quick proto tcp from 246.82.1.203/32 to any keep state keep
fragsÂ*
@25 pass in quick proto udp from 246.82.1.203/32 to any keep stateÂ*
@26 pass in quick proto tcp from 246.82.1.204/32 to any keep state keep
fragsÂ*
@27 pass in quick proto udp from 246.82.1.204/32 to any keep stateÂ*
@28 pass in quick proto tcp from 246.82.161.16/32 to any keep state
keep fragsÂ*
@29 pass in quick proto udp from 246.82.161.16/32 to any keep stateÂ*
@30 pass in quick proto tcp from 246.82.247.34/32 to any keep state
keep fragsÂ*
@31 pass in quick proto udp from 246.82.247.34/32 to any keep stateÂ*
@32 pass in quick proto tcp from 246.82.247.66/32 to any keep state
keep fragsÂ*
@33 pass in quick proto udp from 246.82.247.66/32 to any keep stateÂ*
@34 pass in quick proto tcp from 246.82.247.98/32 to any keep state
keep fragsÂ*
@35 pass in quick proto udp from 246.82.247.98/32 to any keep stateÂ*
@36 pass in quick proto tcp from 246.82.162.243/32 to any keep state
keep fragsÂ*
@37 pass in quick proto udp from 246.82.162.243/32 to any keep stateÂ*
@38 pass in quick proto tcp from 246.82.162.242/32 to any keep state
keep fragsÂ*
@39 pass in quick proto udp from 246.82.162.242/32 to any keep stateÂ*
@40 pass in quick proto tcp from 123.456.70.0/26 to any keep state keep
fragsÂ*
@41 pass in quick proto tcp from 123.456.70.0/26 to any flags S/FSRPAU
keep state keep fragsÂ*
@42 pass in quick proto tcp from 123.456.70.0/26 to any flags A/FSRPAU
keep state keep fragsÂ*
@43 pass in quick proto tcp from 123.456.70.0/26 to any flags R/FSRPAU
keep state keep fragsÂ*
@44 pass in quick proto tcp from 123.456.70.0/26 to any flags SA/FSRPAU
keep state keep fragsÂ*
@45 pass in quick proto tcp from 123.456.70.0/26 to any flags FA/FSRPAU
keep state keep fragsÂ*
@46 pass in quick proto udp from 123.456.70.0/26 to any keep stateÂ*
@47 pass in quick proto tcp from 123.456.70.64/27 to any keep state
keep fragsÂ*
@48 pass in quick proto tcp from 123.456.70.64/27 to any flags S/FSRPAU
keep state keep fragsÂ*
@49 pass in quick proto tcp from 123.456.70.64/27 to any flags A/FSRPAU
keep state keep fragsÂ*
@50 pass in quick proto tcp from 123.456.70.64/27 to any flags R/FSRPAU
keep state keep fragsÂ*
@51 pass in quick proto tcp from 123.456.70.64/27 to any flags
SA/FSRPAU keep state keep fragsÂ*
@52 pass in quick proto tcp from 123.456.70.64/27 to any flags
FA/FSRPAU keep state keep fragsÂ*
@53 pass in quick proto udp from 123.456.70.64/27 to any keep stateÂ*
@54 pass in quick proto tcp from 123.456.70.96/28 to any keep state
keep fragsÂ*
@55 pass in quick proto tcp from 123.456.70.96/28 to any flags S/FSRPAU
keep state keep fragsÂ*
@56 pass in quick proto tcp from 123.456.70.96/28 to any flags A/FSRPAU
keep state keep fragsÂ*
@57 pass in quick proto tcp from 123.456.70.96/28 to any flags R/FSRPAU
keep state keep fragsÂ*
@58 pass in quick proto tcp from 123.456.70.96/28 to any flags
SA/FSRPAU keep state keep fragsÂ*
@59 pass in quick proto tcp from 123.456.70.96/28 to any flags
FA/FSRPAU keep state keep fragsÂ*
@60 pass in quick proto udp from 123.456.70.96/28 to any keep stateÂ*
@61 pass in quick proto tcp from 123.456.0.0/16 to any port = 22 keep
state keep fragsÂ*
@62 pass in quick proto tcp from 246.82.0.0/16 to any port = 22 keep
state keep fragsÂ*
@63 pass in quick proto tcp from any port = 22 to any keep state keep
fragsÂ*
@64 pass in quick proto tcp from 123.20.54.241/32 to any port = 22 keep
state keep fragsÂ*
@65 pass in quick proto tcp from 456.115.209.28/32 to any port = 22
keep state keep fragsÂ*
@66 pass in quick proto tcp from 246.169.43.83/32 to any port = 22 keep
state keep fragsÂ*
@67 pass in quick proto icmp from any to anyÂ*
@68 pass in quick proto tcp from any to any port = 80 keep state keep
fragsÂ*
@69 block in log quick allÂ*
__________________________________________________ ______________________Â*

Check Out the new free AIM(R) Mail -- Unlimited storage and
industry-leading spam and email virus protection.Â*
=0Â*

__________________________________________________ ______________________
Check Out the new free AIM(R) Mail -- Unlimited storage and
industry-leading spam and email virus protection.
=0

Thread Tools	Search this Thread
Show Printable Version Email this Page	Search this Thread: Advanced Search
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode