Okay, I believe that
the attached text file has all of the required system and problem information in
it to properly assess my problem.
Basically, I am
trying to set IP Filter to block all incoming traffic except for
www/pop3/smpt/ssh (which I while allow through certain ports). And from
what I've read and heard, IP Filter reads through all rules that apply to a
specific packet and then applies either the last rule that fits the case or the
first quick that applies to the situation. I think that I have my rules
set correctly, but am not entirely sure (since I'm pretty new to IP
Filter). But whatever the case may be, when I try to tunnel into my
system, it is blocked (supposedly by IP Filter).
I am using OpenSSH
as my SSH server and have always been able to tunnel into the system (the same
machine that will be hosting IP Filter) before enabling IP Filter. I can
also flush all of my rules "ipf -Fa" and then tunnel into the
system.
If any more
information is required just let me know =)
-Brad
# uname -a output FreeBSD paper.birdfish 6.0-RELEASE-p7 FreeBSD 6.0-RELEASE-p7 #0: Sun Apr 23 20:17:08 EST 2006 [EMAIL PROTECTED]:/usr/obj/usr/src/sys/GENERIC i386
# No isainfo available.
# ifconfig -a output
vr0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
inet6 fe80::215:f2ff:fe82:67e7%vr0 prefixlen 64 scopeid 0x1
inet MY.NET.WORK.50 netmask 0xffffff00 broadcast MY.NET.WORK.255
ether 00:15:f2:82:67:e7
media: Ethernet autoselect (100baseTX <full-duplex>)
status: active
plip0: flags=108810<POINTOPOINT,SIMPLEX,MULTICAST,NEEDSGIANT> mtu 1500
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x3
inet 127.0.0.1 netmask 0xff000000
# netstat -rn output
Routing tables
Internet:
Destination Gateway Flags Refs Use Netif Expire
default MY.NET.WORK.254 UGS 0 25504 vr0
127.0.0.1 127.0.0.1 UH 0 50 lo0
MY.NET.WORK link#1 UC 0 0 vr0
MY.NET.WORK.137 00:e0:18:d2:d0:1a UHLW 1 1 vr0 1030
MY.NET.WORK.254 00:0f:cc:05:89:74 UHLW 2 0 vr0 978
Internet6:
Destination Gateway Flags
Netif Expire
::1 ::1 UH lo0
fe80::%vr0/64 link#1 UC vr0
fe80::215:f2ff:fe82:67e7%vr0 00:15:f2:82:67:e7 UHL lo0
fe80::%lo0/64 fe80::1%lo0 U lo0
fe80::1%lo0 link#3 UHL lo0
ff01::/32 ::1 U lo0
ff02::%vr0/32 link#1 UC vr0
ff02::%lo0/32 ::1 UC lo0
# netstat -i output
Name Mtu Network Address Ipkts Ierrs Opkts Oerrs Coll
vr0 1500 <Link#1> 00:15:f2:82:67:e7 85283 0 26162 0 0
vr0 1500 fe80:1::215:f fe80:1::215:f2ff: 0 - 4 - -
vr0 1500 MY.NET.WORK MY.NET.WORK.50 23820 - 25890 - -
plip0 1500 <Link#2> 0 0 0 0 0
lo0 16384 <Link#3> 50 0 50 0 0
lo0 16384 localhost ::1 0 - 0 - -
lo0 16384 fe80:3::1 fe80:3::1 0 - 0 - -
lo0 16384 your-net localhost 50 - 50 - -
# netstat -s -p ip output
ip:
25185 total packets received
0 bad header checksums
0 with size smaller than minimum
0 with data size < data length
0 with ip length > max ip packet size
0 with header length < data size
0 with data length < header length
0 with bad options
0 with incorrect version number
0 fragments received
0 fragments dropped (dup or out of space)
0 fragments dropped after timeout
0 packets reassembled ok
24267 packets for this host
9 packets for unknown/unsupported protocol
0 packets forwarded (0 packets fast forwarded)
826 packets not forwardable
0 packets received for unknown multicast group
0 redirects sent
26241 packets sent from this host
0 packets sent with fabricated ip header
0 output packets dropped due to no bufs, etc.
0 output packets discarded due to no route
0 output datagrams fragmented
0 fragments created
0 datagrams that can't be fragmented
0 tunneling packets that can't find gif
0 datagrams with bad address in header
# ipf -V output
ipf: IP Filter: v4.1.8 (416)
Kernel: IP Filter: v4.1.8
Running: yes
Log Flags: 0 = none set
Default: pass all, Logging: available
Active list: 0
Feature mask: 0x10f
# ipfstat output
bad packets: in 0 out 0
IPv6 packets: in 0 out 0
input packets: blocked 83 passed 15817 nomatch 6425 counted 0 short 0
output packets: blocked 0 passed 19824 nomatch 9446 counted 0 short 0
input packets logged: blocked 83 passed 1596
output packets logged: blocked 0 passed 1290
packets logged: input 0 output 0
log failures: input 1576 output 1147
fragment state(in): kept 0 lost 0 not fragmented 0
fragment state(out): kept 0 lost 0 not fragmented 0
packet state(in): kept 12 lost 0
packet state(out): kept 0 lost 0
ICMP replies: 32 TCP RSTs sent: 3
Invalid source(in): 0
Result cache hits(in): 7817 (out): 9008
IN Pullups succeeded: 8 failed: 0
OUT Pullups succeeded: 31 failed: 0
Fastroute successes: 35 failures: 0
TCP cksum fails(in): 0 (out): 0
IPF Ticks: 28784
Packet log flags set: (0)
none
# ipfstat -io output
pass out quick on lo0 all
pass out on vr0 all head 100
block out from 127.0.0.0/8 to any group 100
block out from any to 127.0.0.0/8 group 100
block out from any to MY.NET.WORK.50/32 group 100
block in log quick from any to any with ipopts
block in log quick proto tcp from any to any with short
pass in quick on lo0 all
block in log on vr0 from any to any head 200
block in log quick from 127.0.0.0/8 to any group 200
block in log quick from MY.NET.WORK.50/32 to any group 200
pass in quick proto tcp from any to any port = http keep state group 200
pass in quick proto tcp from any to any port = pop3 keep state group 200
pass in quick proto tcp from any to any port = smtp keep state group 200
pass in quick proto tcp from any to any port = ssh flags S/SA keep state group
200
block return-rst in log proto tcp from any to any flags S/SA group 200
block return-icmp in log quick proto udp from any to any group 200
# ipnat -slv output
mapped in 0 out 0
added 0 expired 0
no memory 0 bad nat 0
inuse 0
rules 0
wilds 0
table 0xbfbfeccc list 0x0
List of active MAP/Redirect filters:
List of active sessions:
List of active host mappings:
