We have a lab environment that is on a hub, and IPFilter on one of the
machines on that network seems to create state entries for the packets
that don't belong to it and which don't match any of the rules which keep
state. The version of ipf is 4.1.3 and pfil is 2.1.1. The system is
Solaris 8 (117350-20). Below I have attached a version of my ipf.conf that
has been changed to protect the innocent (two notes - the five OUR_NET/16
entries represent 5 different networks, and this problem seems to happen
whether or not I have the SUBNET.255/32 rules in place). Is there anything
that can be done to prevent this behavior?
One further question quasi-related to this - where can I find a
description of the various entries in the ipfstat-s output? Specifically,
I am interested in knowing in hits vs. misses and buckets in use vs.
active.
block in log quick from 192.168.0.0/16 to any
block in log quick from 172.16.0.0/12 to any
block in log quick from 10.0.0.0/8 to any
block in log quick from 127.0.0.0/8 to any
block out log quick from 192.168.0.0/16 to any
block out log quick from 172.16.0.0/12 to any
block out log quick from 10.0.0.0/8 to any
block out log quick from 127.0.0.0/8 to any
#
# Inbound rules
#
# Block access to NTP port via both TCP and UDP
block return-rst in log quick proto tcp from any to any port = 123
block return-icmp(port-unr) in log quick proto udp from any to any port = 123
#
# Allow all inbound local TCP traffic that has an initial SYN flag (initial
# packets) while keeping state for future packets
#
# TCP in rules (directly addressed)
block in log quick proto tcp from any to IP_ADDRESS_STR/32 head 10
pass in quick proto tcp from OUR_NET/16 to IP_ADDRESS_STR/32 flags S/SAFR keep
state keep frags group 10
pass in quick proto tcp from OUR_NET/16 to IP_ADDRESS_STR/32 flags S/SAFR keep
state keep frags group 10
pass in quick proto tcp from OUR_NET/16 to IP_ADDRESS_STR/32 flags S/SAFR keep
state keep frags group 10
pass in quick proto tcp from OUR_NET/16 to IP_ADDRESS_STR/32 flags S/SAFR keep
state keep frags group 10
pass in quick proto tcp from OUR_NET/16 to IP_ADDRESS_STR/32 flags S/SAFR keep
state keep frags group 10
# Send a RST packet to initial TCP connections only
block return-rst in log quick proto tcp from any to IP_ADDRESS_STR/32 flags S
group 10
# TCP in rules (broadcast)
block in log quick proto tcp from any to SUBNET.255/32 head 100
pass in quick proto tcp from OUR_NET/16 to SUBNET.255/32 flags S/SAFR keep
state keep frags group 100
pass in quick proto tcp from OUR_NET/16 to SUBNET.255/32 flags S/SAFR keep
state keep frags group 100
pass in quick proto tcp from OUR_NET/16 to SUBNET.255/32 flags S/SAFR keep
state keep frags group 100
pass in quick proto tcp from OUR_NET/16 to SUBNET.255/32 flags S/SAFR keep
state keep frags group 100
pass in quick proto tcp from OUR_NET/16 to SUBNET.255/32 flags S/SAFR keep
state keep frags group 100
# Allow all inbound local UDP traffic while keeping state for future packets
#
# UDP in rules (directly addressed)
block return-icmp(port-unr) in log quick proto udp from any to
IP_ADDRESS_STR/32 head 20
pass in quick proto udp from OUR_NET/16 to IP_ADDRESS_STR/32 keep state group 20
pass in quick proto udp from OUR_NET/16 to IP_ADDRESS_STR/32 keep state group 20
pass in quick proto udp from OUR_NET/16 to IP_ADDRESS_STR/32 keep state group 20
pass in quick proto udp from OUR_NET/16 to IP_ADDRESS_STR/32 keep state group 20
pass in quick proto udp from OUR_NET/16 to IP_ADDRESS_STR/32 keep state group 20
# UDP in rules (broadcast)
block in log quick proto udp from any to SUBNET.255/32 head 200
pass in quick proto udp from OUR_NET/16 to SUBNET.255/32 keep state group 200
pass in quick proto udp from OUR_NET/16 to SUBNET.255/32 keep state group 200
pass in quick proto udp from OUR_NET/16 to SUBNET.255/32 keep state group 200
pass in quick proto udp from OUR_NET/16 to SUBNET.255/32 keep state group 200
pass in quick proto udp from OUR_NET/16 to SUBNET.255/32 keep state group 200
# Allow directly addresses (i.e. not broadcast) inbound local ICMP traffic
# while keeping state for future packets
block in log quick proto icmp from any to IP_ADDRESS_STR/32 head 30
pass in quick proto icmp from OUR_NET/16 to IP_ADDRESS_STR/32 keep state group
30
pass in quick proto icmp from OUR_NET/16 to IP_ADDRESS_STR/32 keep state group
30
pass in quick proto icmp from OUR_NET/16 to IP_ADDRESS_STR/32 keep state group
30
pass in quick proto icmp from OUR_NET/16 to IP_ADDRESS_STR/32 keep state group
30
pass in quick proto icmp from OUR_NET/16 to IP_ADDRESS_STR/32 keep state group
30
# Allow all inbound local multicast traffic
block in quick from any to 224.0.0.0/3 head 40
pass in quick from OUR_NET/16 to 224.0.0.0/3 group 40
pass in quick from OUR_NET/16 to 224.0.0.0/3 group 40
pass in quick from OUR_NET/16 to 224.0.0.0/3 group 40
pass in quick from OUR_NET/16 to 224.0.0.0/3 group 40
pass in quick from OUR_NET/16 to 224.0.0.0/3 group 40
#
# Outbound rules
#
# Allow all outbound TCP traffic that has an initial SYN flag (initial packets)
# while keeping state for future packets
pass out quick proto tcp from IP_ADDRESS_STR/32 to any flags S/SAFR keep state
keep frags
# Allow all outbound UDP and ICMP traffic while keeping state for future packets
pass out quick proto udp from IP_ADDRESS_STR/32 to any keep state
pass out quick proto icmp from IP_ADDRESS_STR/32 to any keep state
# Allow the return-reset packets to leave
pass out quick proto tcp from IP_ADDRESS_STR/32 to any flags R/RSFUP
# Allow multicast traffic out
pass out quick from any to 224.0.0.0/3
#
# Default blocks
#
block in log
block out log
Bill Knox
Lead Operating Systems Programmer/Analyst
The MITRE Corporation
