Please Help - Strange problem with my servers - Locked out
This is a discussion on Please Help - Strange problem with my servers - Locked out within the Snort forums, part of the System Security and Security Related category; I have something strange going on with the two servers I manage, they can't talk to each other... Servers ...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
12-10-2004
|
|||
|
|||
Please Help - Strange problem with my servers - Locked out
I have something strange going on with the two servers I manage, they
can't talk to each other... Servers are FreeBSD 4.10 - running apache zope plone postgresql postfix courier ipf (KLM) (was kernal then changed back to module) snort tripwire chkrootkit Some security setting from the FreeBSD web site e.g. blackhole settings etc This is the problem, I have 3 networks, HOME, WORK and COLO I have a development server on the HOME network behind a ADSL modem (which has the firewall and ID turned off, NAT on) The other server (production) is directly connected to the Internet I have a workstation (FreeBSD) on the WORK network. The WORK network can talk to both HOME and COLO (ssh, web, mail etc) The HOME network can't talk to the COLO server at all, (both the HOME server and my WinXP workstation on teh same network) The COLO network can't talk to the HOME network at all Doing a traceroute, packets reach the router in front of both servers then get droped... Nothing shows up in the firewall logs, I've even reverted to a pass all ipf rule set still no go... I think the problem started when I used nmap to port scan the servers to test for holes? Does snort drop packets? I've shut it down and still no go? Here is my current ipf rule set on the COLO server the one on the HOME serve is nearly identical if needed: ******************************************* block in all with frag block in proto tcp all with short block in all with ipopts #Allow loopback pass in quick on lo0 all pass out quick on lo0 all #Allow local LAN pass out quick on xl0 all #Block Spoofing block in quick on xl0 from 192.168.0.0/16 to any block in quick on xl0 from 172.16.0.0/12 to any block in quick on xl0 from 10.0.0.0/8 to any block in quick on xl0 from 127.0.0.0/8 to any block in quick on xl0 from 0.0.0.0/8 to any block in quick on xl0 from 169.254.0.0/16 to any block in quick on xl0 from 192.0.2.0/24 to any block in quick on xl0 from 204.152.64.0/23 to any block in quick on xl0 from 224.0.0.0/3 to any block out quick on xl0 from any to 192.168.0.0/16 block out quick on xl0 from any to 172.16.0.0/12 block out quick on xl0 from any to 10.0.0.0/8 block out quick on xl0 from any to 0.0.0.0/8 block out quick on xl0 from any to 127.0.0.0/8 block out quick on xl0 from any to 169.254.0.0/16 block out quick on xl0 from any to 192.0.2.0/24 block out quick on xl0 from any to 204.152.64.0/23 block out quick on xl0 from any to 224.0.0.0/3 #Other block in quick on fxp0 proto tcp from any to any port = 139 flags S keep state block in quick on fxp0 proto tcp from any to any port = 445 flags S keep state #Block ICMP pass in quick on xl0 proto icmp from any to any icmp-type 0 pass in quick on xl0 proto icmp from any to any icmp-type 11 block in quick on xl0 proto icmp from any to any #Allow rsync access pass in quick on fxp0 proto tcp from x.x.x.0/24 to any port = 873 flags S keep state block in quick on fxp0 proto tcp from any to any port = 873 flags S keep state #Allow ssh access pass in quick on xl0 proto tcp from x.x.x.x to any port = 22 flags S/SA keep state pass in quick on xl0 proto tcp from x.x.x.x to any port = 22 flags S/SA keep state pass in quick on xl0 proto tcp from x.x.x.x to any port = 22 flags S keep state pass in quick on xl0 proto tcp from x.x.x.0/24 to any port = 22 flags S keep state block in log first quick on xl0 proto tcp from any to any port = 22 flags S keep state #Allow SMTP access block return-rst in on xl0 proto tcp from any to any port = 113 flags S keep state pass in quick on xl0 proto tcp from any to any port = 25 flags S/SA keep state keep frags #Allow every thing in [debug] pass in log first quick on xl0 all #Logging and block all block in log first quick on xl0 all ******************************************* Any pointers in the right direction would be great...getting frustrated... Dean Grubb 
|
|
12-10-2004
|
|||
|
|||
|
Re: Please Help - Strange problem with my servers - Locked out
deadefinitelycom wrote:
> I have something strange going on with the two servers I manage, they > can't talk to each other... > > Servers are FreeBSD 4.10 - running > apache > zope > plone > postgresql > postfix > courier > ipf (KLM) (was kernal then changed back to module) > snort > tripwire > chkrootkit > > Some security setting from the FreeBSD web site e.g. blackhole settings > etc > > This is the problem, I have 3 networks, HOME, WORK and COLO > > I have a development server on the HOME network behind a ADSL modem > (which has the firewall and ID turned off, NAT on) > The other server (production) is directly connected to the Internet > I have a workstation (FreeBSD) on the WORK network. > > The WORK network can talk to both HOME and COLO (ssh, web, mail etc) > The HOME network can't talk to the COLO server at all, (both the HOME > server and my WinXP workstation on teh same network) > The COLO network can't talk to the HOME network at all > > Doing a traceroute, packets reach the router in front of both servers > then get droped... > Nothing shows up in the firewall logs, I've even reverted to a pass all > ipf rule set still no go... > > I think the problem started when I used nmap to port scan the servers > to test for holes? > > Does snort drop packets? I've shut it down and still no go? > > Here is my current ipf rule set on the COLO server the one on the HOME > serve is nearly identical if needed: > > ******************************************* > block in all with frag > block in proto tcp all with short > block in all with ipopts > > #Allow loopback > pass in quick on lo0 all > pass out quick on lo0 all > > #Allow local LAN > pass out quick on xl0 all > > #Block Spoofing > block in quick on xl0 from 192.168.0.0/16 to any > block in quick on xl0 from 172.16.0.0/12 to any > block in quick on xl0 from 10.0.0.0/8 to any > block in quick on xl0 from 127.0.0.0/8 to any > block in quick on xl0 from 0.0.0.0/8 to any > block in quick on xl0 from 169.254.0.0/16 to any > block in quick on xl0 from 192.0.2.0/24 to any > block in quick on xl0 from 204.152.64.0/23 to any > block in quick on xl0 from 224.0.0.0/3 to any > block out quick on xl0 from any to 192.168.0.0/16 > block out quick on xl0 from any to 172.16.0.0/12 > block out quick on xl0 from any to 10.0.0.0/8 > block out quick on xl0 from any to 0.0.0.0/8 > block out quick on xl0 from any to 127.0.0.0/8 > block out quick on xl0 from any to 169.254.0.0/16 > block out quick on xl0 from any to 192.0.2.0/24 > block out quick on xl0 from any to 204.152.64.0/23 > block out quick on xl0 from any to 224.0.0.0/3 > > #Other > block in quick on fxp0 proto tcp from any to any port = 139 flags S > keep state > block in quick on fxp0 proto tcp from any to any port = 445 flags S > keep state > > #Block ICMP > pass in quick on xl0 proto icmp from any to any icmp-type 0 > pass in quick on xl0 proto icmp from any to any icmp-type 11 > block in quick on xl0 proto icmp from any to any > > #Allow rsync access > pass in quick on fxp0 proto tcp from x.x.x.0/24 to any port = 873 flags > S keep state > block in quick on fxp0 proto tcp from any to any port = 873 flags S > keep state > > #Allow ssh access > pass in quick on xl0 proto tcp from x.x.x.x to any port = 22 flags S/SA > keep state > pass in quick on xl0 proto tcp from x.x.x.x to any port = 22 flags S/SA > keep state > pass in quick on xl0 proto tcp from x.x.x.x to any port = 22 flags S > keep state > pass in quick on xl0 proto tcp from x.x.x.0/24 to any port = 22 flags S > keep state > block in log first quick on xl0 proto tcp from any to any port = 22 > flags S keep state > > #Allow SMTP access > block return-rst in on xl0 proto tcp from any to any port = 113 flags S > keep state > pass in quick on xl0 proto tcp from any to any port = 25 flags S/SA > keep state keep frags > > #Allow every thing in [debug] > pass in log first quick on xl0 all > > #Logging and block all > block in log first quick on xl0 all > ******************************************* > > Any pointers in the right direction would be great...getting > frustrated... > > Dean Grubb It definitely sounds like a ruleset problem. I did not go through all of your rules as it is too late and I am tired. Try an experiment. In the top of your firewall rules make a rule the accepts all packets from the server in question (put it on the top of your ruleset). If this fixes your problem then you know that your rules are messed up. I run Snort and have never had a problem with packet loss. Snort "listens" to connections but should not cause loss to the system. Snort might run out of buffer space and not "see" 100%. I think that could be possible...anyway, try the experiment and see if that fixes it. Michael
|
 |
«
Previous Thread
|
Next Thread
»
| Thread Tools | |
| Display Modes | |
Linear Mode
|
|
All times are GMT +1. The time now is 12:11 PM.
