Hello
all,
I'm getting dropped
packets:
[ID 702911
local0.warning] 08:45:14.146313 bge0 @0:2 b x.x.x.x,30404 -> x.x.x.x,443 PR
tcp len 20 40 -AR IN
Here is my
ruleset:
# This to allow all
localhost connections
pass in quick on lo0 all
pass out quick on lo0 all
pass in quick on lo0 all
pass out quick on lo0 all
# This will block
any connection attempts unless explicitly opened below
block return-rst in log on bge0 proto tcp from any to x.y.z.122/32
block in log on bge0 proto udp from any to x.y.z.122/32
block in log proto icmp all
block return-rst in log on bge0 proto tcp from any to x.y.z.122/32
block in log on bge0 proto udp from any to x.y.z.122/32
block in log proto icmp all
# This will block
any out bound traffic except what is allowed explicitly below
block out log on bge0 proto tcp from x.y.z.122/32 to any
block out log on bge0 proto udp from x.y.z.122/32 to any
block out log on bge0 proto tcp from x.y.z.122/32 to any
block out log on bge0 proto udp from x.y.z.122/32 to any
# This is for ssh to
server from admin boxes
pass in quick on bge0 proto tcp from x.y.89.0/24 to x.y.z.122/32 port = 22 keep state keep frags
pass in quick on bge0 proto tcp from x.y.87.210 to any port = 22 flags S keep state keep frags
pass in quick on bge0 proto tcp from x.y.68.7/32 to x.y.z.122/32 port = 22 keep state keep frags
pass in quick on bge0 proto tcp from x.y.89.0/24 to x.y.z.122/32 port = 22 keep state keep frags
pass in quick on bge0 proto tcp from x.y.87.210 to any port = 22 flags S keep state keep frags
pass in quick on bge0 proto tcp from x.y.68.7/32 to x.y.z.122/32 port = 22 keep state keep frags
# this section is
for netbackup
pass in quick on bge0 proto tcp from x.y.z.253/32 to any port 13781 >< 13784 flags S keep state keep frags
pass out quick on bge0 proto tcp from any to x.y.z.253/32 port = 13724 flags S keep state keep frags
pass out quick on bge0 proto tcp from any to x.y.z.253/32 port = 13720 flags S keep state keep frags
pass in quick on bge0 proto tcp from x.y.z.253/32 to any port 13781 >< 13784 flags S keep state keep frags
pass out quick on bge0 proto tcp from any to x.y.z.253/32 port = 13724 flags S keep state keep frags
pass out quick on bge0 proto tcp from any to x.y.z.253/32 port = 13720 flags S keep state keep frags
# This is to allow
patrol connections
pass in quick on bge0 proto tcp from x.y.70.61/32 to any port = 3500 flags S keep state keep frags
pass in quick on bge0 proto tcp from x.y.89.0/24 to any port = 3500 flags S keep state keep frags
pass in quick on bge0 proto tcp from x.y.87.210/32 to any port = 3500 flags S keep state keep frags
pass in quick on bge0 proto tcp from x.y.70.61/32 to any port = 3500 flags S keep state keep frags
pass in quick on bge0 proto tcp from x.y.89.0/24 to any port = 3500 flags S keep state keep frags
pass in quick on bge0 proto tcp from x.y.87.210/32 to any port = 3500 flags S keep state keep frags
# This is to allow
port 80 and 443 web traffic to webserver
pass in quick on bge0 proto tcp from any to x.y.z.122/32 port = 80 flags S keep state keep frags
pass in quick on bge0 proto tcp from any to x.y.z.122/32 port = 443 flags S keep state keep frags
pass in quick on bge0 proto tcp from any to x.y.z.122/32 port = 80 flags S keep state keep frags
pass in quick on bge0 proto tcp from any to x.y.z.122/32 port = 443 flags S keep state keep frags
# This to access the
admin server fro SunONE
pass in quick on bge0 proto tcp from x.y.89.25/32 to x.y.z.122/32 port = 8888 flags S keep state keep frags
pass in quick on bge0 proto tcp from x.y.89.25/32 to x.y.z.122/32 port = 8888 flags S keep state keep frags
# This is to allow
Tripwire Traffic
pass in quick on bge0 proto tcp from x.y.89.12/32 to x.y.z.122/32 port = 1169 flags S keep state keep frags
pass in quick on bge0 proto tcp from x.y.89.12/32 to x.y.z.122/32 port = 1169 flags S keep state keep frags
# This section is
for broadvision NSAPI plug-in to talk to app servers
pass out quick on bge0 proto tcp from any to x.y.z.124 port 3999 >< 4016 flags S keep state keep frags
pass out quick on bge0 proto tcp from any to x.y.z.125 port 3999 >< 4016 flags S keep state keep frags
pass out quick on bge0 proto tcp from any to x.y.z.126 port 3999 >< 4016 flags S keep state keep frags
pass out quick on bge0 proto tcp from any to x.y.z.127 port 3999 >< 4016 flags S keep state keep frags
pass out quick on bge0 proto tcp from any to x.y.z.124 port 3999 >< 4016 flags S keep state keep frags
pass out quick on bge0 proto tcp from any to x.y.z.125 port 3999 >< 4016 flags S keep state keep frags
pass out quick on bge0 proto tcp from any to x.y.z.126 port 3999 >< 4016 flags S keep state keep frags
pass out quick on bge0 proto tcp from any to x.y.z.127 port 3999 >< 4016 flags S keep state keep frags
# This will allow
ssh out to any box in the environment
#pass out quick on bge0 proto tcp from x.y.z.122/32 to x.y.z.0/24 port = 22 flags S keep state keep frags
#pass out quick on bge0 proto tcp from x.y.z.122/32 to x.y.z.0/24 port = 22 flags S keep state keep frags
# This will enable
communication with the NFS server
pass out quick on bge0 proto tcp/udp from x.y.z.122/32 to x.y.z.131 port = 111 keep state keep frags
pass out quick on bge0 proto tcp from x.y.z.122/32 to x.y.z.131 port = 63000 flags S keep state keep frags
pass out quick on bge0 proto tcp from x.y.z.122/32 to x.y.z.131 port = 54555 flags S keep state keep frags
pass out quick on bge0 proto tcp from x.y.z.122/32 to x.y.z.131 port = 63111 flags S keep state keep frags
pass out quick on bge0 proto tcp from x.y.z.122/32 to x.y.z.131 port = 45555 flags S keep state keep frags
pass out quick on bge0 proto tcp/udp from x.y.z.122/32 to x.y.z.131 port = 111 keep state keep frags
pass out quick on bge0 proto tcp from x.y.z.122/32 to x.y.z.131 port = 63000 flags S keep state keep frags
pass out quick on bge0 proto tcp from x.y.z.122/32 to x.y.z.131 port = 54555 flags S keep state keep frags
pass out quick on bge0 proto tcp from x.y.z.122/32 to x.y.z.131 port = 63111 flags S keep state keep frags
pass out quick on bge0 proto tcp from x.y.z.122/32 to x.y.z.131 port = 45555 flags S keep state keep frags
# This to allow
syslog traffic to cgw-logs
pass out quick on bge0 proto udp from x.y.z.122/32 to x.y.z.139/32 port = 514 keep state keep frags
pass out quick on bge0 proto udp from x.y.z.122/32 to x.y.z.139/32 port = 514 keep state keep frags
# This is to allow
ntp traffic
pass out quick on bge0 proto tcp/udp from x.y.z.122/32 to 192.168.49.85/32 port = 123 keep state keep frags
pass out quick on bge0 proto tcp/udp from x.y.z.122/32 to 192.168.49.85/32 port = 123 keep state keep frags
# This is to allow
SMTP traffic
pass out quick on bge0 proto tcp from x.y.z.122/32 to x.y.z.32/32 port = 25 flags S keep state keep frags
pass out quick on bge0 proto tcp from x.y.z.122/32 to 152.121.36.8/32 port = 25 flags S keep state keep frags
pass out quick on bge0 proto tcp from x.y.z.122/32 to x.y.z.32/32 port = 25 flags S keep state keep frags
pass out quick on bge0 proto tcp from x.y.z.122/32 to 152.121.36.8/32 port = 25 flags S keep state keep frags
# This is to allow
port 80 traffic to xxx.yyy.zzz for RSS feed
pass out quick on bge0 proto tcp from any to any port = 80 flags S keep state keep frags
pass out quick on bge0 proto tcp from any to any port = 80 flags S keep state keep frags
# This is to allow
DNS lookups to DMZ DNS servers
pass out quick on bge0 proto tcp/udp from any to x.y.z.19 port = 53 keep state keep frags
pass out quick on bge0 proto tcp/udp from any to 199.211.215.66 port = 53 keep state keep frags
pass out quick on bge0 proto tcp/udp from any to 199.211.217.2 port = 53 keep state keep frags
pass out quick on bge0 proto tcp/udp from any to 199.211.216.6 port = 53 keep state keep frags
pass out quick on bge0 proto tcp/udp from any to x.y.z.19 port = 53 keep state keep frags
pass out quick on bge0 proto tcp/udp from any to 199.211.215.66 port = 53 keep state keep frags
pass out quick on bge0 proto tcp/udp from any to 199.211.217.2 port = 53 keep state keep frags
pass out quick on bge0 proto tcp/udp from any to 199.211.216.6 port = 53 keep state keep frags
SunOS <hostname> 5.9 Generic_118558-17 sun4u
sparc SUNW,Sun-Fire-V240
64-bit sparcv9 kernel modules
lo0: flags=1000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4> mtu 8232 index 1
inet 127.0.0.1 netmask ff000000
bge0: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 2
inet X.X.X.122 netmask ffffff00 broadcast X.X.X.255
ether 0:3:ba:61:4f:ef
64-bit sparcv9 kernel modules
lo0: flags=1000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4> mtu 8232 index 1
inet 127.0.0.1 netmask ff000000
bge0: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 2
inet X.X.X.122 netmask ffffff00 broadcast X.X.X.255
ether 0:3:ba:61:4f:ef
Name Mtu
Net/Dest
Address Ipkts Ierrs Opkts
Oerrs Collis Queue
lo0 8232 loopback localhost 6 0 6 0 0 0
bge0 1500 host host 30466417 0 44709462 0 0 0
lo0 8232 loopback localhost 6 0 6 0 0 0
bge0 1500 host host 30466417 0 44709462 0 0 0
netstat -s -P ip
IPv4
ipForwarding =
2 ipDefaultTTL
= 255
ipInReceives =27732387 ipInHdrErrors = 0
ipInAddrErrors = 0 ipInCksumErrs = 0
ipForwDatagrams = 0 ipForwProhibits = 0
ipInUnknownProtos = 0 ipInDiscards = 0
ipInDelivers =26958799 ipOutRequests =44581799
ipOutDiscards = 0 ipOutNoRoutes = 0
ipReasmTimeout = 60 ipReasmReqds = 0
ipReasmOKs = 0 ipReasmFails = 0
ipReasmDuplicates = 0 ipReasmPartDups = 0
ipFragOKs = 0 ipFragFails = 0
ipFragCreates = 0 ipRoutingDiscards = 0
tcpInErrs = 0 udpNoPorts = 16353
udpInCksumErrs = 0 udpInOverflows = 0
rawipInOverflows = 0 ipsecInSucceeded = 0
ipsecInFailed = 0 ipInIPv6 = 0
ipOutIPv6 = 0 ipOutSwitchIPv6 = 54
ipInReceives =27732387 ipInHdrErrors = 0
ipInAddrErrors = 0 ipInCksumErrs = 0
ipForwDatagrams = 0 ipForwProhibits = 0
ipInUnknownProtos = 0 ipInDiscards = 0
ipInDelivers =26958799 ipOutRequests =44581799
ipOutDiscards = 0 ipOutNoRoutes = 0
ipReasmTimeout = 60 ipReasmReqds = 0
ipReasmOKs = 0 ipReasmFails = 0
ipReasmDuplicates = 0 ipReasmPartDups = 0
ipFragOKs = 0 ipFragFails = 0
ipFragCreates = 0 ipRoutingDiscards = 0
tcpInErrs = 0 udpNoPorts = 16353
udpInCksumErrs = 0 udpInOverflows = 0
rawipInOverflows = 0 ipsecInSucceeded = 0
ipsecInFailed = 0 ipInIPv6 = 0
ipOutIPv6 = 0 ipOutSwitchIPv6 = 54
ipf -V
ipf: IP Filter: v3.4.32 (496)
Kernel: IP Filter: v3.4.32
Running: yes
Log Flags: 0 = none set
Default: pass all, Logging: available
Active list: 0
ipf: IP Filter: v3.4.32 (496)
Kernel: IP Filter: v3.4.32
Running: yes
Log Flags: 0 = none set
Default: pass all, Logging: available
Active list: 0
