Hi, I am running a FreeBSD5.3 firewall running
ipf: IP Filter: v3.4.35 (336) Kernel: IP Filter: v3.4.35 Running: yes Log Flags: 0 = none set Default: pass all, Logging: available Active list: 0 with SSH active, and I have defined rules to block all incoming traffic apart from a particular IP (rules attached at end of message). My problem is that for some reason, when I boot the machine and I portscan it, SSH is fully open to anyone trying to access it from the internet: Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2005-06-07 14:55 EDT Interesting ports on adsl-xxx-xx-xxx-xxx.xxxx.xx (xx.xx.xx.xx): (The 1662 ports scanned but not shown below are in state: filtered) PORT STATE SERVICE 22/tcp open ssh I have found out that by doing a /etc/./netstart, and restarting the network, that the ipf rules defined then function correctly and ssh is then blocked (the count for block return-rst in quick on tun0 proto tcp from any to any starts increasing). What I would like to know is if this is a know problem or if it is by design that this happens, or is it just FreeBSD that acts this way and I should post this question on their mailing list? Can shed some light on this or on how I can debug this? regards Rekkie RULESET defined on Firewall ##################################################################### # Outside Interface - Faces Internet # ##################################################################### pass out quick on tun0 proto tcp from any to any keep state pass out quick on tun0 proto udp from any to any keep state pass out quick on tun0 proto icmp from any to any keep state block out quick on tun0 all pass in quick on tun0 proto tcp from xx.xx.xx.0/24 to 0/32 pass in quick on tun0 proto udp from xx.xx.xx.0/24 to 0/32 #P2P pass in quick on tun0 proto tcp from any to 0/32 port = 6346 pass in quick on tun0 proto udp from any to 0/32 port = 6346 #Block all inbound traffic from reserved or non-routable address space #For internet facing interface tun0 block in quick on tun0 from 192.168.0.0/16 to any #RFC1918 private ip block in quick on tun0 from 172.16.0.0/12 to any #RFC1918 private ip block in quick on tun0 from 10.0.0.0/8 to any #RFC1918 private ip block in quick on tun0 from 127.0.0.0/8 to any #loopback block in quick on tun0 from 0.0.0.0/8 to any #loopback block in quick on tun0 from 169.254.0.0/16 to any #DHCP autoconfig block in quick on tun0 from 192.0.2.0/24 to any #reserved for doc's block in quick on tun0 from 204.152.64.0/23 to any #Sun Cluster interconn block in quick on tun0 from 224.0.0.0/3 to any #Class D & E Multicast ##Block and log all remaining traffic coming into firewall # Block TCP with reset to appear if service not listening # Block UDP with an ICMP port unreachable to appear as if not listening # Block all remaining traffic. block return-rst in quick on tun0 proto tcp from any to any block return-icmp-as-dest(port-unr) in quick on tun0 proto udp from any to any block in quick on tun0 all ##################################################################### # Loopback Interface # ##################################################################### #Allow everything to/from interface so can ping yourself pass in quick on lo0 all pass out quick on lo0 all _______________________________________________ Join Excite! - http://www.excite.com The most personalized portal on the Web!
