Hi, A self answer here, after thinking real hard about the problem I managed to figure it out for myself and though I'd write a note to help anyone else with similar problems:
Essentially the problem was due to my adsl interface/modem (pppoA) being activated after ipfilter and thus requiring a reload of the ipf and ipnat rules for them to function correctly, as the rules reference an interface with a specific IP. All that needs to be done is add the following two lines (after MYADDR:) in /etc/ppp/ppp.linkup MYADDR: ! sh -c "/sbin/ipnat -CF -f /etc/ipnat.rules" ! sh -c "/sbin/ipf -y" and voila it works! Hope this helps anyone with similar problems regards Rekkie --- On Wed 06/08, John Doe < > wrote: From: John Doe [mailto: ] To: [email protected] Date: Wed, 8 Jun 2005 01:56:35 -0400 (EDT) Subject: SSH port open despite ipf rules <br>Hi,<br><br>I am running a FreeBSD5.3 firewall running<br><br>ipf: IP Filter: v3.4.35 (336)<br>Kernel: IP Filter: v3.4.35<br>Running: yes<br>Log Flags: 0 = none set<br>Default: pass all, Logging: available<br>Active list: 0<br><br>with SSH active, and I have defined rules to block all incoming traffic apart from a particular IP (rules attached at end of message). My problem is that for some reason, when I boot the machine and I portscan it, SSH is fully open to anyone trying to access it from the internet:<br><br>Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2005-06-07 14:55 EDT<br>Interesting ports on adsl-xxx-xx-xxx-xxx.xxxx.xx (xx.xx.xx.xx):<br>(The 1662 ports scanned but not shown below are in state: filtered)<br>PORT STATE SERVICE<br>22/tcp open ssh<br><br>I have found out that by doing a /etc/./netstart, and restarting the network, that the ipf rules defined then function correctly and ssh is then blocked (the count for block return-rst in quick on tun0 proto tcp from any to any starts increasing).<br><br>What I would like to know is if this is a know problem or if it is by design that this happens, or is it just FreeBSD that acts this way and I should post this question on their mailing list? Can shed some light on this or on how I can debug this?<br><br>regards<br><br>Rekkie<br><br><br>RULESET defined on Firewall<br>#####################################################################<br># Outside Interface - Faces Internet #<br>#####################################################################<br>pass out quick on tun0 proto tcp from any to any keep state<br>pass out quick on tun0 proto udp from any to any keep state<br>pass out quick on tun0 proto icmp from any to any keep state<br>block out quick on tun0 all<br><br><br>pass in quick on tun0 proto tcp from xx.xx.xx.0/24 to 0/32<br>pass in quick on tun0 proto udp from xx.xx.xx.0/24 to 0/32<br><br>#P2P<br>pass in quick on tun0 proto tcp from any to 0/32 port = 6346<br>pass in quick on tun0 proto udp from any to 0/32 port = 6346<br><br><br>#Block all inbound traffic from reserved or non-routable address space<br>#For internet facing interface tun0<br>block in quick on tun0 from 192.168.0.0/16 to any #RFC1918 private ip<br>block in quick on tun0 from 172.16.0.0/12 to any #RFC1918 private ip<br>block in quick on tun0 from 10.0.0.0/8 to any #RFC1918 private ip<br>block in quick on tun0 from 127.0.0.0/8 to any #loopback<br>block in quick on tun0 from 0.0.0.0/8 to any #loopback<br>block in quick on tun0 from 169.254.0.0/16 to any #DHCP autoconfig<br>block in quick on tun0 from 192.0.2.0/24 to any #reserved for doc's<br>block in quick on tun0 from 204.152.64.0/23 to any #Sun Cluster interconn<br>block in quick on tun0 from 224.0.0.0/3 to any #Class D & E Multicast<br><br>##Block and log all remaining traffic coming into firewall<br># Block TCP with reset to appear if service not listening<br># Block UDP with an ICMP port unreachable to appear as if not listening<br># Block all remaining traffic.<br><br>block return-rst in quick on tun0 proto tcp from any to any<br>block return-icmp-as-dest(port-unr) in quick on tun0 proto udp from any to any<br>block in quick on tun0 all<br><br>#####################################################################<br># Loopback Interface #<br>#####################################################################<br><br>#Allow everything to/from interface so can ping yourself<br>pass in quick on lo0 all<br>pass out quick on lo0 all<br><br><br><br><br>_______________________________________________<br>Join Excite! - http://www.excite.com<br>The most personalized portal on the Web!<br><br><br> _______________________________________________ Join Excite! - http://www.excite.com The most personalized portal on the Web!
