|
Hello,
I'm running ipfilter 4.1.8 on a FreeBSD 5.4 box.
I've loaded a ruleset i used in 3.x now ftp isn't working completely, but it's
doing it in some very strange ways. My ruleset is below both ipf.rules and
ipnat.rules.
The freebsd box running ipfilter
acts as a gateway natting for lan machines, which are a mixture of windows and
unix systems.
Windows first, a windows 2000
box and an xp machine, commandline ftp, works fine, i can log on to an ftp site,
do directory listings, and get files, no problem. If i go to internet explorer
on either of the windows boxes and try to access the same area i get a message
that the server can not be accessed. I've tried both active and passive ftp in
the internet options, advanced properties, neither works.
On the gateway itself passive
ftp is working no problems, active is giving me a strange error:
200 EPRT command successful
425: can not build data connection: connection
refused
This is with the commandline ftp client with the -A
for active mode option.
On a natted box behind the gateway again passive
works fine, no problems. Active also work, but it gives me a strange message and
i'm wondering if it's related to any of the above situations:
500 illegal port range rejected
Aside from that a natted box works, i'd appreciate
any input on these issues. I am using the ftp proxy with ipfilter
4.
Also, using ipfilter4 as a
loadable module, but i want a block by default policy and only allow specific
traffic, does this still give that to me?
Thanks a lot.
Dave.
(rl0 external interface, xl0 internal
one)
ipnat.rules: (minus rdr rules)
map rl0 192.168.0.0/24 -> 0.0.0.0/32 proxy port
ftp ftp/tcp
map rl0 0.0.0.0/0 -> 0/32 proxy port 21 ftp/tcp map rl0 192.168.0.0/24 -> 0.0.0.0/32 map rl0 192.168.0.0/24 -> 0/32 proxy port 1723 pptp/tcp ipf.rules:
# General rules - we only have most of these so that we'll be notified # when they are tripped. # Drop source routed or short packets. block in log quick all with short block in log quick all with opt lsrr block in log quick all with opt ssrr #block some exploits first thing block return-rst in quick proto tcp from any to any port 136 >< 140 flags S block return-rst in quick proto tcp from any to any port = 445 flags S block return-icmp-as-dest(port-unr) in quick proto udp from any to any port 136 >< 140 # allow ping and traceroute pass in quick on xl0 proto icmp from 192.168.0.0/24 to any icmp-type 0 pass out quick proto icmp from any to any icmp-type 8 code 0 keep state pass in quick on xl0 proto icmp from 192.168.0.0/24 to any icmp-type 11 block return-icmp-as-dest(port-unr) in quick proto udp from any to any port = 445 block return-rst in quick proto tcp from any to any port = 1433 flags S block return-rst in quick proto tcp from any to any port = 27374 flags S block return-rst in quick proto tcp from any to any port = 113 flags S/SA # Let's kill packets with invalid flag combinations ... block in quick on rl0 proto tcp from any to any flags F/FA block in quick on rl0 proto tcp from any to any flags P/PA block in quick on rl0 proto tcp from any to any flags U/AU block in quick on rl0 proto tcp from any to any flags FR/FR block in quick on rl0 proto tcp from any to any flags FS/FS block in quick on rl0 proto tcp from any to any flags SR/SR block in quick on rl0 proto tcp from any to any flags FSRPAU block in quick on rl0 proto tcp from any to any flags /FSRPAU block in quick on rl0 proto tcp from any to any flags FPU block in quick on rl0 proto tcp from any to any flags FSPU block in quick on rl0 proto tcp from any to any flags FSRAU # Block packets claiming to be from my IP address block in quick on rl0 from 65.31.44.187/32 to any # block noise off the wire block in quick on rl0 proto tcp/udp from any to any port = telnet block in quick on rl0 proto tcp/udp from any to any port = netbios-ns block in quick on rl0 proto tcp/udp from any to any port = netbios-dgm block in quick on rl0 proto tcp/udp from any to any port = microsoft-ds block in quick on rl0 proto tcp/udp from any to any port = socks block in quick on rl0 proto tcp/udp from any to any port = ms-sql-s block in quick on rl0 proto tcp/udp from any to any port = loc-srv # network blocks # asia pacific blocks block in quick on rl0 from 67.127.189.35 to any block in quick on rl0 from 165.229.191.109 to any block in quick on rl0 from 218.189.193.56 to any block in quick on rl0 from 220.176.196.52 to any block in quick on rl0 from 210.0.0.0/7 to any block in quick on rl0 from 221.0.0.0/8 to any #block in quick on OUTSIDE_INTERFACE proto tcp/udp from 220.0.0.0/8 to any block in quick on rl0 from 202.0.0.0/7 to any #block in quick on OUTSIDE_INTERFACE proto tcp/udp from 219.0.0.0/8 to any block in quick on rl0 from 218.232.109.187 to any block in quick on rl0 from 61.173.104.249 to any block in quick on rl0 from 218.81.182.69 to any block in quick on rl0 from 61.146.171.189 to any block in quick on rl0 from 222.65.111.203 to any block in quick on rl0 from 218.81.185.28 to any block in quick on rl0 from 222.65.106.162 to any block in quick on rl0 from 218.64.141.26 to any block in quick on rl0 from 218.80.101.11 to any block in quick on rl0 from 218.81.170.45 to any block in quick on rl0 from 218.79.82.48 to any block in quick on rl0 from 218.81.182.225 to any block in quick on rl0 from 222.65.100.0/24 to any block in quick on rl0 from 217.220.2.73 to any # latin america blocks block in quick on rl0 from 150.161.0.0/16 to any block in quick on rl0 from 150.162.0.0/15 to any block in quick on rl0 from 150.164.0.0/15 to any block in quick on rl0 from 200.0.0.0/8 to any block in quick on rl0 from 220.218.134.222 to any # netherlands blocks block in quick on rl0 from 83.17.209.58 to any block in quick on rl0 from 213.9.191.45 to any block in quick on rl0 from 62.193.232.184 to any block in quick on rl0 from 193.0.0.0/8 to any block in quick on rl0 from 217.115.144.68 to any block in quick on rl0 from 82.0.0.0/8 to any # US blocks # comcast block in quick on rl0 from 24.12.150.192 to any block in quick on rl0 from 24.19.77.188 to any # worldnet block in quick on rl0 from 12.158.228.18 to any block in quick on rl0 from 12.215.60.12 to any block in quick on rl0 from 67.18.38.111 to any # Don't filter anything on loopback interfaces. pass in quick on lo0 all pass out quick on lo0 all # Define rule groups based on interface
block return-icmp-as-dest(port-unr) in log first quick on rl0 proto tcp/udp from any to any head 100 block out log first quick on rl0 proto tcp/udp from any to any head 200 block return-icmp-as-dest(port-unr) in log first quick on xl0 proto tcp/udp from any to any head 300 block out log first quick on xl0 proto tcp/udp from any to any head 400 # Rule group for trafic coming from the Internet: # Allow SSH and FTP services. pass in quick on rl0 proto tcp from any to 192.168.0.3 port = 22 keep state group 100 #pass in quick on OUTSIDE_INTERFACE proto tcp from any to FTP_SERVER port = 20 keep state group 100 #pass in quick on OUTSIDE_INTERFACE proto tcp from any to FTP_SERVER port = 21 keep state group 100 # Allow DHCP from our ISP.
pass in quick on rl0 proto udp from 10.40.224.1 port = 67 to 255.255.255.255 port = 68 group 100 # Allow ping from the outside, at least we need
this for the DHCP server to know
# that our lease is still in use. #pass in quick on OUTSIDE_INTERFACE proto icmp from any to any keep state group 100 # Allow inbound SMTP.
pass in quick on rl0 proto tcp from any to 192.168.0.3 port = 25 keep state group 100 # allow inbound web
pass in quick on rl0 proto tcp from any to 192.168.0.3 port = 80 flags S keep state group 100 pass in quick on rl0 proto tcp from any to 192.168.0.3 port = 443 flags S keep state group 100 # allow inbound pop
pass in quick on rl0 proto tcp from any to 192.168.0.3 port = 110 keep state group 100 pass in quick on rl0 proto tcp from any to 192.168.0.3 port = 465 keep state group 100 # allow incoming pptp pass in quick on rl0 proto tcp from any to 192.168.0.3 port = 1723 keep state group 100 pass in quick on rl0 proto gre from any to 192.168.0.3 keep state group 100 # allow inbound imap #pass in quick on OUTSIDE_INTERFACE proto tcp from any to IMAP_SERVER port = 143 keep state group 100 # allow inbound encrypted pop3s
pass in quick on rl0 proto tcp from any to 192.168.0.3 port = 995 keep state group 100 # allow inbound encrypted imaps
#pass in quick on OUTSIDE_INTERFACE proto tcp from any to IMAP_SERVER port = 993 keep state group 100 # allow inbound database connections
#pass in quick on OUTSIDE_INTERFACE proto tcp from any to DATABASE_SERVER port = 3306 keep state group 100 #pass in quick on OUTSIDE_INTERFACE proto tcp from any to DATABASE_SERVER port = 5432 keep state group 100 # allow cvs
#pass in quick on OUTSIDE_INTERFACE proto tcp from any to CVS_SERVER port = 2401 flags S keep state group 100 # allow icecast
pass in quick on rl0 proto tcp from any to 192.168.0.3 port = 8000 flags S keep state group 100 # allow rsync from nick_net
pass in quick on rl0 proto tcp from 65.185.99.20/32 to 192.168.0.3 port = 873 flags S keep state group 100 # pass in svnserve connections
#pass in quick on OUTSIDE_INTERFACE proto tcp/udp from any to SUBVERSION_SERVER port = 3690 flags S keep state group 100 # pass in dcc connections to the mail
server
pass in quick on rl0 proto udp from any to 192.168.0.3 port = 6277 keep state group 100 # Rule group for trafic headed to the Internet: # Everything from our subnet is allowed to go out on the Internet. # We'll limit what internal network trafic can reach the Internet via the # incoming rules on the inside interface. pass out quick on rl0 proto tcp/udp from any to any keep state group 200 pass out quick on rl0 proto icmp from any to any keep state group 200 # Rule group for trafic coming from our internal network: # Allow Internal DHCP pass in quick on xl0 proto udp from 192.168.0.0/24 to 192.168.0.254 port = 67 group 300 pass in quick on xl0 proto udp from 192.168.0.0/24 port = 38 to 192.168.0.255 port = 38 group 300 pass in quick on xl0 proto udp from 192.168.0.0/24 to 192.168.0.255 port = 138 group 300 # Allow inbound DNS queries as we are running bind
on the firewall host.
pass in quick on xl0 proto udp from 192.168.0.0/24 to 192.168.0.254 port = 53 keep state group 300 # Allow outbound SSH to the Internet.
pass in quick on xl0 proto tcp from 192.168.0.0/24 to any port = 22 keep state group 300 # Allow FTP to the Internet
pass in quick on xl0 proto tcp from 192.168.0.0/24 to any port = 20 keep state group 300 pass in quick on xl0 proto tcp from 192.168.0.0/24 to any port = 21 keep state group 300 # Allow ident queries to the Internet (this happens
when someone FTPs to us).
#pass in quick on INSIDE_INTERFACE proto tcp from INSIDE_NET to any port = 113 keep state group 300 # Allow http and HTTPS to the Internet.
pass in quick on xl0 proto tcp from 192.168.0.0/24 to any port = 80 keep state group 300 pass in quick on xl0 proto tcp from 192.168.0.0/24 to any port = 443 keep state group 300 # Allow AOL Instant messenger
pass in quick on xl0 proto tcp from 192.168.0.0/24 to 64.12.200.89 port = 5190 keep state group 300 pass in quick on xl0 proto tcp from 192.168.0.0/24 to 64.12.30.216 port = 5190 keep state group 300 pass in quick on xl0 proto tcp from 192.168.0.0/24 to any port = 5190 keep state group 300 # Allow outbound SMTP.
pass in quick on xl0 proto tcp from 192.168.0.0/24 to any port = 25 keep state group 300 # Allow POP3
pass in QUICK on xl0 proto tcp from 192.168.0.0/24 to any port = 110 keep state group 300 # Allow IMAP4
#pass in quick on INSIDE_INTERFACE proto tcp from INSIDE_NET to any port = 143 keep state group 300 # allow juno
pass in quick on xl0 proto tcp from 192.168.0.0/24 to any port = 1793 flags S keep state group 300 pass in quick on xl0 proto tcp from 192.168.0.0/24 to any port = 1794 flags S keep state group 300 # allow news
pass in quick on xl0 proto tcp from 192.168.0.0/24 to any port = 119 flags S keep state group 300 # allow cvsup
pass in quick on xl0 proto tcp from 192.168.0.0/24 to any port = 5999 flags S keep state group 300 # allow cvs
pass in quick on xl0 proto tcp from 192.168.0.0/24 to any port = 2401 flags S keep state group 300 # allow cddb queries, used for ripit and maybe
abcde as well.
pass in quick on xl0 proto tcp/udp from 192.168.0.0/24 to any port = 8880 keep state group 300 # allow ntp
pass in quick on xl0 proto udp from any to any port = 123 keep state group 300 # allow irc
pass in quick on xl0 proto tcp/udp from 192.168.0.0/24 to any port = 6667 keep state group 300 # allow whois lookups
pass in quick on xl0 proto tcp/udp from 192.168.0.0/24 to any port = 43 group 300 # allow outbound dcc queries from the mail server
to dcc servers
pass in quick on xl0 proto udp from 192.168.0.3 to any port = 6277 keep state group 300 # allow razor queries from the smtp server to razor
servers
pass in quick on xl0 proto tcp from 192.168.0.3 to any port = 2703 keep state group 300 pass in quick on xl0 proto tcp from 192.168.0.3 to any port = 7 keep state group 300 # Group for outbound trafic to our subnet: #pass out quick on INSIDE_INTERFACE proto udp from DHCP_SERVER port = 67 to INSIDE_NET port = 68 keep state group 400 # Pass everything going out to our internal subnet, as any Internet trafic is # governed by the inbound rules for the outside interface. pass out quick on xl0 proto tcp/udp from any to 192.168.0.0/24 keep state group 400 pass out quick on xl0 proto icmp from any to 192.168.0.0/24 keep state group 400 # Block and log all remaining traffic coming into the firewall # - Block TCP with a RST (to make it appear as if the service # isn't listening) # - Block UDP with an ICMP Port Unreachable (to make it appear # as if the service isn't listening) block return-rst in log quick on rl0 proto tcp from any to any block return-icmp-as-dest(port-unr) in log quick on rl0 proto udp from any to any block in log quick all block out log quick all |
- Solaris 10 and ipfilter Jorgen Lundman
- Solaris 10 and ipfilter Mike Demarco
- ftp inconsistency strangeness with ipfilter 4.1.8 dave
- Re: Solaris 10 and ipfilter Darren Reed
- Re: Solaris 10 and ipfilter Chris Ross
- RE: Solaris 10 and ipfilter Mike Demarco
