Re: Where did I go wrong?

[mdpeters]

Here is the ipfstat output as requested. What does this really tell me?
# ipfstat -ionh
5251 @1 log level local7.debug out on qfe0 all
0 @2 log level local7.debug out on qfe2 all
1541 @3 log level local7.debug out on hme0 all
1541 @4 block out on hme0 all
0 @5 block out log quick on hme0 from any to 192.168.0.0/16
0 @6 block out log quick on hme0 from any to 172.16.0.0/12
0 @7 block out log quick on hme0 from any to 10.0.0.0/8
0 @8 block out log quick on hme0 from any to 127.0.0.0/8
0 @9 block out log quick on hme0 from any to 0.0.0.0/8
0 @10 block out log quick on hme0 from any to 169.254.0.0/16
0 @11 block out log quick on hme0 from any to 192.0.2.0/24
0 @12 block out log quick on hme0 from any to 204.152.64.0/23
1541 @13 block out log quick on hme0 from any to 224.0.0.0/3
5264 @14 pass out quick on qfe0 all
0 @15 pass out quick on qfe2 all
0 @16 pass out quick on lo0 all
0 @17 pass out quick on hme0 proto tcp from 172.16.0.0/16 port = smtp to 
any port = smtp keep state
0 @18 pass out quick on hme0 proto tcp from 172.16.0.0/16 port = domain 
to any port = domain keep state
0 @19 pass out quick on hme0 proto udp from 172.16.0.0/16 port = domain 
to any port = domain
0 @20 pass out quick on hme0 proto tcp/udp from 192.168.200.0/24 port = 
ntp to any port = ntp
0 @21 pass out quick on hme0 proto tcp from 172.16.0.0/12 to any keep state
0 @22 pass out quick on hme0 proto udp from 172.16.0.0/12 to any
0 @23 pass out quick on hme0 proto icmp from 172.16.0.0/12 to any keep state
7004 @1 log level local7.debug in on qfe0 all
0 @2 log level local7.debug in on qfe2 all
0 @3 log level local7.debug in on hme0 all
0 @4 block in on hme0 all
0 @5 block in log quick on hme0 from 192.168.0.0/16 to any
0 @6 block in log quick on hme0 from 172.16.0.0/12 to any
0 @7 block in log quick on hme0 from 10.0.0.0/8 to any
0 @8 block in log quick on hme0 from 127.0.0.0/8 to any
0 @9 block in log quick on hme0 from 0.0.0.0/8 to any
0 @10 block in log quick on hme0 from 169.254.0.0/16 to any
0 @11 block in log quick on hme0 from 192.0.2.0/24 to any
0 @12 block in log quick on hme0 from 204.152.64.0/23 to any
0 @13 block in log quick on hme0 from 224.0.0.0/3 to any
0 @14 block in quick on hme0 proto tcp from any port = 113 to any
0 @15 block in log quick from any to any with short
0 @16 block in log quick on hme0 from any to 68.16.185.128/27
0 @17 block in log quick on hme0 proto icmp from any to any
0 @18 block in log quick on hme0 proto tcp from any to any port = telnet
0 @19 block in log quick on hme0 proto tcp/udp from any to any port = sunrpc
0 @20 block in log quick on hme0 proto tcp from any to any port = login
0 @21 block in log quick on hme0 proto tcp/udp from any to any port = 514
0 @22 block in log quick on hme0 proto tcp from any to any port = printer
0 @23 block in log quick on hme0 proto tcp from any to any port = 1214
0 @24 block in log quick on hme0 proto tcp/udp from any to any port = nfsd
0 @25 block in log quick on hme0 proto tcp from any to any port = 4661
0 @26 block in log quick on hme0 proto tcp from any to any port = 4662
0 @27 block in log quick on hme0 proto udp from any to any port = 4665
0 @28 block in log quick on hme0 proto tcp from any to any port = 5190
0 @29 block in log quick on hme0 proto udp from any to any port = 4000
0 @30 block in log quick on hme0 proto tcp from any to any port = 6000
0 @31 block in log quick on hme0 proto udp from any to any port = 8998
7038 @32 pass in quick on qfe0 from any to any
0 @33 pass in quick on qfe2 from any to any
0 @34 pass in quick on lo0 all
0 @35 pass in quick on hme0 proto tcp from any port = smtp to 
68.16.185.134/32 port = smtp keep state
0 @36 pass in quick on hme0 proto udp from any port = domain to 
68.16.185.134/32 port = domain keep state
0 @37 pass in quick on hme0 proto udp from any port = domain to 
68.16.185.134/32 port = domain
0 @38 pass in quick on hme0 proto tcp from any port = ntp to 
68.16.185.134/32 port = ntp keep state
0 @39 pass in quick on hme0 proto udp from any port = 443 to 
68.16.185.135/32 port = 443 keep state
0 @40 pass in quick on hme0 proto udp from any port = 22 to 
68.16.185.135/32 port = 22 keep state
0 @41 pass in quick on hme0 proto tcp from any port = ssh to 
68.16.185.158/32 port = ssh keep state
0 @42 pass in quick on hme0 proto tcp from any port = 80 to 
68.16.185.158/32 port = 80 keep state
0 @43 pass in quick on hme0 proto tcp from any port = 443 to 
68.16.185.158/32 port = 443 keep state
0 @44 pass in quick on hme0 proto tcp from any port = 12345 to 
68.16.185.158/32 port = 12345 keep state
0 @45 pass in quick on hme0 proto tcp from any port = ssh to 
68.16.185.154/32 port = ssh keep state
0 @46 pass in quick on hme0 proto tcp from any port = 80 to 
68.16.185.154/32 port = 80 keep state
0 @47 pass in quick on hme0 proto tcp from any port = 443 to 
68.16.185.154/32 port = 443 keep state
0 @48 pass in quick on hme0 proto tcp from any port = 12345 to 
68.16.185.154/32 port = 12345 keep state
0 @49 pass in quick on hme0 proto tcp from any port = ssh to 
68.16.185.136/32 port = ssh keep state
0 @50 pass in quick on hme0 proto tcp from any port = 80 to 
68.16.185.136/32 port = 80 keep state
0 @51 pass in quick on hme0 proto tcp from any port = 443 to 
68.16.185.136/32 port = 443 keep state
0 @52 pass in quick on hme0 proto tcp from any port = ssh to 
68.16.185.140/32 port = ssh keep state
0 @53 pass in quick on hme0 proto tcp from any port = 80 to 
68.16.185.140/32 port = 80 keep state
0 @54 pass in quick on hme0 proto tcp from any port = 443 to 
68.16.185.140/32 port = 443 keep state
0 @55 pass in quick on hme0 proto tcp from any port = ssh to 
68.16.185.141/32 port = ssh keep state
0 @56 pass in quick on hme0 proto tcp from any port = 80 to 
68.16.185.141/32 port = 80 keep state
0 @57 pass in quick on hme0 proto tcp from any port = 443 to 
68.16.185.141/32 port = 443 keep state
0 @58 pass in quick on hme0 proto tcp from any port = ssh to 
68.16.185.142/32 port = ssh keep state
0 @59 pass in quick on hme0 proto tcp from any port = 80 to 
68.16.185.142/32 port = 80 keep state
0 @60 pass in quick on hme0 proto tcp from any port = 443 to 
68.16.185.142/32 port = 443 keep state
0 @61 pass in quick on hme0 proto tcp from any port = ssh to 
68.16.185.143/32 port = ssh keep state
0 @62 pass in quick on hme0 proto tcp from any port = 80 to 
68.16.185.143/32 port = 80 keep state
0 @63 pass in quick on hme0 proto tcp from any port = 443 to 
68.16.185.143/32 port = 443 keep state
0 @64 pass in quick on hme0 proto tcp from any port = ssh to 
68.16.185.144/32 port = ssh keep state
0 @65 pass in quick on hme0 proto tcp from any port = 80 to 
68.16.185.144/32 port = 80 keep state
0 @66 pass in quick on hme0 proto tcp from any port = 443 to 
68.16.185.144/32 port = 443 keep state
0 @67 pass in quick on hme0 proto tcp from any port = ssh to 
68.16.185.145/32 port = ssh keep state
0 @68 pass in quick on hme0 proto tcp from any port = 80 to 
68.16.185.145/32 port = 80 keep state
0 @69 pass in quick on hme0 proto tcp from any port = 443 to 
68.16.185.145/32 port = 443 keep state
0 @70 pass in quick on hme0 proto tcp from any port = ssh to 
68.16.185.146/32 port = ssh keep state
0 @71 pass in quick on hme0 proto tcp from any port = 80 to 
68.16.185.146/32 port = 80 keep state
0 @72 pass in quick on hme0 proto tcp from any port = 443 to 
68.16.185.146/32 port = 443 keep state
0 @73 pass in quick on hme0 proto tcp from any port = ssh to 
68.16.185.147/32 port = ssh keep state
0 @74 pass in quick on hme0 proto tcp from any port = 80 to 
68.16.185.147/32 port = 80 keep state
0 @75 pass in quick on hme0 proto tcp from any port = 443 to 
68.16.185.147/32 port = 443 keep state
0 @76 pass in quick on hme0 proto tcp from any port = ssh to 
68.16.185.148/32 port = ssh keep state
0 @77 pass in quick on hme0 proto tcp from any port = 80 to 
68.16.185.148/32 port = 80 keep state
0 @78 pass in quick on hme0 proto tcp from any port = 443 to 
68.16.185.148/32 port = 443 keep state



Stuart Remphrey wrote:
Oops. Had meant to write "ipfstat", as in "ipfstat -ionh" or similar;
had been looking at some iostat output myself just before writing
the previous reply!
Rgds, Stuart.

Stuart Remphrey
RMIT ITS Infrastructure Services - Unix Systems
Phone (03) 992 55 070  (or extension 55070)

mdpeters <[EMAIL PROTECTED]> 22/01/07 11:45 PM >>>


This command on Solaris reports disk activity only. I posted to the 
group yesterday some more information.

I appreciate your help.


Stuart Remphrey wrote:

My suggestion was just to add the "n" and "h" options
to your existing "iostat" command when dumping the
rules list which you'd attached to your original email.

However from later emails the pfil module isn't loaded yet,
so while there's a rule table in the kernel, nothing's using it.




On 19-Jan-07 at 9:29 am, in message

<[EMAIL PROTECTED]>,
mdpeters <[EMAIL PROTECTED]> wrote:


Would I place "iostat -ionh" after each rule or just on certain

ones?


Stuart Remphrey wrote:


Hi,

I see someone's mentioned collecting the log output, you may also
find "iostat -ionh" helpful. The "h" gives the hit rate per rule

that


fired,
the blocking ones will tell you what's stopping the packets.

Note however that the line numbering ("n" option) is the entry

number


in the IN or OUT filter table (two separate counts), not the lines
in your source file, so you'll have to match the rule text against
your input file.

HTH, rgds, Stuart.





On 17-Jan-07 at 1:51 pm, in message

<[EMAIL PROTECTED]>,
mdpeters <[EMAIL PROTECTED]> wrote:



I am new to IPFilter. My experience comes from other firewalls. I

have 



what seems like a proper build from following all sorts of example 
documents out there. My problem is that nothing seems to pass

through


the system. I am not sure if it is a NAT issue or rule

misconfiguration 



on my part. If someone could critique an excerpt of what I have and

clue 



me into what I am doing wrong I would certainly appreciate it.

I cut down the rules for simplicity sake. Everything follows:

# uname -a
SunOS Osiris 5.10 Generic_118833-17 sun4u sparc

SUNW,UltraSPARC-IIi-cEngine



# isainfo -vk
64-bit sparcv9 kernel modules

#  ifconfig -a
lo0: flags=2001000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4,VIRTUAL>

mtu


8232 index 1
     inet 127.0.0.1 netmask ff000000
hme0: flags=1100803<UP,BROADCAST,MULTICAST,ROUTER,IPv4> mtu 1500

index 2



     inet 68.16.185.30 netmask fffffff0 broadcast 68.16.185.43
     ether 8:0:20:f9:c5:44
qfe0: flags=1100843<UP,BROADCAST,RUNNING,MULTICAST,ROUTER,IPv4> mtu

1500 



index 3
     inet 192.168.200.108 netmask ffffff00 broadcast

192.168.200.255



     ether 8:0:20:f9:c5:44
qfe2: flags=1100803<UP,BROADCAST,MULTICAST,ROUTER,IPv4> mtu 1500

index 4



     inet 192.168.201.8 netmask ffffff00 broadcast

192.168.201.255



     ether 8:0:20:f9:c5:44
lo0: flags=2002000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv6,VIRTUAL>

mtu


8252 index 1
     inet6 ::1/128
hme0: flags=2100801<UP,MULTICAST,ROUTER,IPv6> mtu 1500 index 2
     inet6 fe80::a00:20ff:fef9:c544/10
     ether 8:0:20:f9:c5:44
qfe0: flags=2100841<UP,RUNNING,MULTICAST,ROUTER,IPv6> mtu 1500

index


3



     inet6 fe80::a00:20ff:fef9:c544/10
     ether 8:0:20:f9:c5:44
qfe2: flags=2100801<UP,MULTICAST,ROUTER,IPv6> mtu 1500 index 4
     inet6 fe80::a00:20ff:fef9:c544/10
     ether 8:0:20:f9:c5:44

# netstat -rn

Routing Table: IPv4
Destination           Gateway           Flags  Ref   Use  

Interface



-------------------- -------------------- ----- ----- ------

---------



68.16.185.28        68.16.185.30        U         1      0  hme0
192.168.200.0        192.168.200.108      U         1    618  qfe0
192.168.201.0        192.168.201.8        U         1      0  qfe2
192.168.202.0        192.168.200.59       UG        1      0
192.168.204.0        192.168.201.169      UG        1      0
172.16.0.0           192.168.200.59       UG        1      7
224.0.0.0            68.16.185.130        U         1      0  hme0
default              68.16.185.128        UG        1      0
127.0.0.1            127.0.0.1            UH        4     77  lo0

Routing Table: IPv6
Destination/Mask            Gateway                   Flags Ref  

Use   If



--------------------------- --------------------------- ----- ---

------ 



-----
fe80::/10                   fe80::a00:20ff:fef9:c544    U       1   


0 



hme0
fe80::/10                   fe80::a00:20ff:fef9:c544    U       1   


0 



qfe0
fe80::/10                   fe80::a00:20ff:fef9:c544    U       1   


0 



qfe2
ff00::/8                    fe80::a00:20ff:fef9:c544    U       1   


0 



hme0
::1                         ::1                         UH      1   


14 lo0



# netstat -i
Name  Mtu  Net/Dest      Address        Ipkts  Ierrs Opkts  Oerrs

Collis 



Queue
lo0   8232 loopback      localhost      209    0     209    0     0 


 0



hme0  1500 Osiris        Osiris         0      0     0      0     0 


 0



qfe0  1500 192.168.200.0 192.168.200.108 265242 0     9572   0     0


  0



qfe2  1500 192.168.201.0 192.168.201.8  0      0     0      0     0 


 0



Name  Mtu  Net/Dest                    Address                    

Ipkts 



Ierrs Opkts  Oerrs Collis
lo0   8252 localhost                   localhost                  

209 



0     209    0     0
hme0  1500 fe80::a00:20ff:fef9:c544/10 fe80::a00:20ff:fef9:c544   

0


0     0      0     0
qfe0  1500 fe80::a00:20ff:fef9:c544/10 fe80::a00:20ff:fef9:c544 
265252 0     9583   0     0
qfe2  1500 fe80::a00:20ff:fef9:c544/10 fe80::a00:20ff:fef9:c544   

0


0     0      0     0

# netstat -s -P ip

IPv4    ipForwarding        =     1     ipDefaultTTL        =   255
     ipInReceives        =  6594     ipInHdrErrors       =     0
     ipInAddrErrors      =     0     ipInCksumErrs       =     0
     ipForwDatagrams     =     0     ipForwProhibits     =     0
     ipInUnknownProtos   =     0     ipInDiscards        =     0
     ipInDelivers        =  6679     ipOutRequests       = 13135
     ipOutDiscards       =     0     ipOutNoRoutes       =     6
     ipReasmTimeout      =    60     ipReasmReqds        =     0
     ipReasmOKs          =     0     ipReasmFails        =     0
     ipReasmDuplicates   =     0     ipReasmPartDups     =     0
     ipFragOKs           =     0     ipFragFails         =     0
     ipFragCreates       =     0     ipRoutingDiscards   =     0
     tcpInErrs           =     0     udpNoPorts          =    17
     udpInCksumErrs      =     0     udpInOverflows      =     0
     rawipInOverflows    =     0     ipsecInSucceeded    =     0
     ipsecInFailed       =     0     ipInIPv6            =     0
     ipOutIPv6           =     0     ipOutSwitchIPv6     =     0

# ipf -V
ipf: IP Filter: v4.0.3 (592)
Kernel: IP Filter: v4.0.3
Running: yes
Log Flags: 0 = none set
Default: pass all, Logging: available
Active list: 1

# ipfstat
bad packets:            in 0    out 0
IPv6 packets:          in 0 out 18
input packets:         blocked 0 passed 6618 nomatch 0 counted 0

short 0



output packets:         blocked 6508 passed 6677 nomatch 9 counted

0


short 0



input packets logged:  blocked 0 passed 0
output packets logged:  blocked 6508 passed 0
packets logged:        input 6618 output 13167
log failures:          input 0 output 0
fragment state(in):     kept 0  lost 0
fragment state(out):    kept 0  lost 0
packet state(in):       kept 0  lost 0
packet state(out):      kept 0  lost 0
ICMP replies:   0       TCP RSTs sent:  0
Invalid source(in):     0
Result cache hits(in):  0       (out):  9
IN Pullups succeeded:   0       failed: 0
OUT Pullups succeeded:  32      failed: 0
Fastroute successes:    0       failures:       0
TCP cksum fails(in):    0       (out):  0
IPF Ticks:      834285
Packet log flags set: (0)
     none

# ipfstat -io
log level local7.debug out on qfe0 all
log level local7.debug out on qfe2 all
log level local7.debug out on hme0 all
block out log quick on hme0 from any to 192.168.0.0/16
block out log quick on hme0 from any to 172.16.0.0/12
block out log quick on hme0 from any to 10.0.0.0/8
block out log quick on hme0 from any to 127.0.0.0/8
block out log quick on hme0 from any to 0.0.0.0/8
block out log quick on hme0 from any to 169.254.0.0/16
block out log quick on hme0 from any to 192.0.2.0/24
block out log quick on hme0 from any to 204.152.64.0/23
block out log quick on hme0 from any to 224.0.0.0/3
pass out quick on qfe0 all
pass out quick on qfe2 all
pass out quick on lo0 all
pass out quick on hme0 proto tcp from 172.16.0.0/16 port = smtp to

any 



port = smtp keep state
pass out quick on hme0 proto tcp from 172.16.0.0/16 port = domain

to


any 



port = domain keep state
pass out quick on hme0 proto udp from 172.16.0.0/16 port = domain

to


any 



port = domain
pass out quick on hme0 proto tcp/udp from 192.168.200.0/24 port =

ntp


to 



any port = ntp
pass out quick on hme0 proto tcp from 172.16.0.0/12 to any keep

state



pass out quick on hme0 proto udp from 172.16.0.0/12 to any
pass out quick on hme0 proto icmp from 172.16.0.0/12 to any keep

state



log level local7.debug in on qfe0 all
log level local7.debug in on qfe2 all
log level local7.debug in on hme0 all
block in all
block in log quick on hme0 from 192.168.0.0/16 to any
block in log quick on hme0 from 172.16.0.0/12 to any
block in log quick on hme0 from 10.0.0.0/8 to any
block in log quick on hme0 from 127.0.0.0/8 to any
block in log quick on hme0 from 0.0.0.0/8 to any
block in log quick on hme0 from 169.254.0.0/16 to any
block in log quick on hme0 from 192.0.2.0/24 to any
block in log quick on hme0 from 204.152.64.0/23 to any
block in log quick on hme0 from 224.0.0.0/3 to any
block in quick on hme0 proto tcp from any port = 113 to any
block in log quick from any to any with short
block in log quick on hme0 from any to 68.16.185.28/27
block in log quick on hme0 proto icmp from any to any
block in log quick on hme0 proto tcp from any to any port = telnet
block in log quick on hme0 proto tcp/udp from any to any port =

sunrpc



block in log quick on hme0 proto tcp from any to any port = login
block in log quick on hme0 proto tcp/udp from any to any port = 514
block in log quick on hme0 proto tcp from any to any port = printer
block in log quick on hme0 proto tcp from any to any port = 1214
block in log quick on hme0 proto tcp/udp from any to any port =

nfsd


block in log quick on hme0 proto tcp from any to any port = 4661
block in log quick on hme0 proto tcp from any to any port = 4662
block in log quick on hme0 proto udp from any to any port = 4665
block in log quick on hme0 proto tcp from any to any port = 5190
block in log quick on hme0 proto udp from any to any port = 4000
block in log quick on hme0 proto tcp from any to any port = 6000
block in log quick on hme0 proto udp from any to any port = 8998
pass in quick on qfe0 from any to any
pass in quick on qfe2 from any to any
pass in quick on lo0 all
pass in quick on hme0 proto tcp from any port = smtp to

68.16.185.34/32 



port = smtp keep state
pass in quick on hme0 proto udp from any port = domain to 
68.16.185.34/32 port = domain keep state
pass in quick on hme0 proto udp from any port = domain to 
68.16.185.34/32 port = domain
pass in quick on hme0 proto tcp from any port = ntp to

68.16.185.34/32 



port = ntp keep state

# ipnat -slv
mapped  in      0       out     0
added   0       expired 0
no memory       0       bad nat 0
inuse   0
rules   44
wilds   0
table ffffffff7ffffba0 list 30002026340
List of active MAP/Redirect filters:
map hme0 192.168.200.40/32 -> 68.16.185.33/32
map hme0 68.16.185.133/32 -> 192.168.200.40/32
map hme0 192.168.200.59/32 -> 68.16.185.34/32
map hme0 68.16.185.134/32 -> 192.168.200.59/32


List of active sessions:

List of active host mappings: