Here is a common ipf.conf I install on customers public machines.
Maybe someone can help me to find the correct way to place "keep state" and
"flags" where I did not?
I added upper case comments pertaining to the issue.
pass out quick on lo0 all
#Everything is safe on loopback and local network
pass in quick on lo0 all
pass out quick on @privatedevice all
pass in quick on @privatedevice all
#No private or strange packets from the inside to the outside
block out quick on @publicdevice from any to 192.168.0.0/16
block out quick on @publicdevice from any to 172.16.0.0/12
block out quick on @publicdevice from any to 127.0.0.0/8
block out quick on @publicdevice from any to 10.0.0.0/8
block out quick on @publicdevice from any to 0.0.0.0/8
block out quick on @publicdevice from any to 169.254.0.0/16
block out quick on @publicdevice from any to 192.0.2.0/24
block out quick on @publicdevice from any to 204.152.64.0/23
block out quick on @publicdevice from any to 224.0.0.0/3
#Pass anything from the public network to the Internet
#and keep state for reply packets to be accepted
pass out quick on @publicdevice from @publicip/32 to any keep state
#Pass NAT for @domain
#Comment out to enable
#pass out quick on @publicdevice from @privatenetwork/@privatebits to any keep
state
#Block anything else going out
block out log quick on @publicdevice from any to any
#Block any spoofing or strange packet coming from the Internet
block in quick on @publicdevice from 192.168.0.0/16 to any
block in quick on @publicdevice from 172.16.0.0/12 to any
block in quick on @publicdevice from 10.0.0.0/8 to any
block in quick on @publicdevice from 127.0.0.0/8 to any
block in quick on @publicdevice from 0.0.0.0/8 to any
block in quick on @publicdevice from 169.254.0.0/16 to any
block in quick on @publicdevice from 192.0.2.0/24 to any
block in quick on @publicdevice from 204.152.64.0/23 to any
block in quick on @publicdevice from 224.0.0.0/3 to any
block in log quick on @publicdevice from @privatenetwork/@privatebits to any
block in log quick on @publicdevice from any to @privatebroadcast0/32
block in log quick on @publicdevice from any to @privatebroadcast1/32
#Permit normal ICMP (ping, traceroute) but not spoofed ICMP
#THIS NEVER SEEMS TO WORK!!!
pass in quick on @publicdevice proto icmp from any to @publicip/32 icmp-type 0
pass in quick on @publicdevice proto icmp from any to @publicip/32 icmp-type 11
block in log quick on @publicdevice proto icmp from any to any
#Permit specific services from the outside to public machines
(ssh,smtp,http,https,imaps)
#THIS IS THE AREA THAT WORKS FROM VISTA IF I ADD KEEP STATE
pass in quick on @publicdevice proto tcp from any to @publicip/32 port = 22
pass in quick on @publicdevice proto tcp from any to @publicip/32 port = 25
pass in quick on @publicdevice proto tcp from any to @publicip/32 port = 80
pass in quick on @publicdevice proto tcp from any to @publicip/32 port = 443
pass in quick on @publicdevice proto tcp from any to @publicip/32 port = 993
#Block anything else from the outside
block in log quick on @publicdevice from any to any
pass in all
Gabriele Bulfon - Sonicle S.r.l.
Tel +39 028246016 Int. 30 - Fax +39 028243880
Via Felice Cavallotti 16 - 20089, Rozzano - Milano - ITALY
http://www.sonicle.com
----------------------------------------------------------------------------------
Da: Jefferson Ogata <[EMAIL PROTECTED]>
A: [email protected]
Data: 23 aprile 2007 18.14.32 CEST
Oggetto: Re: Windows Vista and ipfilter servers
On 2007-04-23 10:26, Gabriele Bulfon wrote:
> I have more data:
> - Some servers run fine, and there I have the original IPFilter that
> comes with Solaris 10
> - The ones that fail, are those that I upgraded to IPFilter 4.1.9 or
> 4.1.10 by rebuilding from sources (something was not correctly working
> on AMD installations, so I had to upgrade).
>
> What I don't understand, is why this problem comes up only if I connect
> through Vista, and only on some ports.
Maybe you have TCP window issues, or maybe Vista uses ECN in a way your
ipfilter config doesn't allow for.
I recommend you examine TCP flags and options in your packet traces to
see if there's a difference there between XP and Vista.
--
Jefferson Ogata <[EMAIL PROTECTED]>
NOAA Computer Incident Response Team (N-CIRT) <[EMAIL PROTECTED]>
"Never try to retrieve anything from a bear."--National Park Service
