topic Re: IPFilter disenables my services? in Operating System - HP-UX

IPFilter disenables my services?

SeaMark_1 — Thu, 06 Jan 2005 03:19:11 GMT

This's my first time to configure IPFilter.

Fllow some examples, I configured IPFilter like this:

=========
root@xkbqd07# ipfstat -i
pass in quick on lo0 from any to any
block in quick from 10.0.0.0/8 to any
block in log quick from 172.16.0.0/12 to any
pass in quick proto icmp from any to 210.76.128.0/24 icmp-type echo
pass in quick proto icmp from any to 210.76.128.0/24 icmp-type echorep
pass in quick proto tcp/udp from any port = portmap to any keep state
pass in quick proto tcp from any port = 1110 to any keep state
pass in quick proto tcp/udp from any to any port = 1110
pass in log quick proto tcp from any to any port = 123 keep state
pass in log first quick proto tcp from any port = 2049 to any keep state
pass in log first quick proto tcp from any to any port = 2049 keep state
pass in quick proto tcp/udp from any to any port = domain keep state
pass in quick proto tcp from any to any port = 1188 keep state
pass in quick proto tcp from any to any port = 21 keep state
pass in quick proto tcp from any to any port = 20 keep state
pass in quick proto tcp from any port = 20 to any port > 1023 keep state
pass in quick proto tcp from any to any port = 873 keep state
pass in quick proto tcp from any to any port = 22 keep state
pass in log level auth.info quick proto tcp from any to any port = 23 keep state
pass in quick proto tcp/udp from any to any port = http keep state
pass in log quick proto tcp/udp from any to any port 510 >< 517 keep state
pass in log quick proto tcp/udp from any port 510 >< 517 to any keep state
pass in quick proto tcp/udp from any to any port = 520 keep state
pass in quick proto tcp from any to any port = 25 keep state
pass in quick proto tcp from any to any port = 110 keep state
block in from any to any

======================

root@xkbqd07# ipfstat -o
pass out quick on lo0 from any to any
pass out quick proto tcp/udp from any to any port = portmap keep state
pass out quick proto tcp from any to any port = 1110 keep state
pass out log quick proto tcp from any to any port = 123 keep state
pass out log first quick proto tcp from any to any port = 2049 keep state
pass out quick proto tcp/udp from any to any port = domain keep state
pass out quick proto tcp from any to any port = 873 keep state
pass out log level auth.info quick proto tcp from any to any port = 23 keep state
pass out log quick proto tcp/udp from any port 510 >< 517 to any keep state
pass out log quick proto tcp/udp from any to any port 510 >< 517 keep state
pass out quick proto tcp from any to any port = 25 keep state
pass out from any to any

=======

Now, SSH/DNS/Telnet/rlogin/rsync work properly.

But remsh&NFS is off work.

I checked /etc/services and found rlogin uses port 513, against remsh used port 514, which implys some differece?

Especially, does NFS uses another ports except portmap(111) and nfsd(2049) port ??

Post the thread for help. :-)
Any sugguest is appreciated !

All the best.

Re: IPFilter disenables my services?

Biswajit Tripathy — Thu, 06 Jan 2005 03:42:16 GMT

To be able to debug this more effectively, remove
the "log" keyword from all the rules and replace the
rule "block in from any to any" by
"block in log from any to any".

Redirect "ipmon" output to a file, try to use
the services (e.g remsh and NFS) that are not
working and post the log file here. To redirect the
"ipmon" output to a file, kill "ipmon" process and
run it again using following command:

# ipmon -v /tmp/ipmon.out &

and post /tmp/ipmon.out here.

The idea is to find out which traffic is getting
blocked that is creating the problem here.

Also, post the output of
# ipf -V
and, ofcourse, the HP-UX version.

- Biswajit

Re: IPFilter disenables my services?

Biswajit Tripathy — Thu, 06 Jan 2005 03:57:51 GMT

Oops... and one more thing.
Along with the "ipmon" logfile, post the output of the
following command :

# ipfstat -ioh

- Biswajit

Re: IPFilter disenables my services?

SeaMark_1 — Thu, 06 Jan 2005 06:08:30 GMT

hi, thanks for replys.

When I remsh,log show:
=======================
Jan 6 19:03:11 xkbqd07 ipmon[409]: 19:03:10.263747 lan0 @0:47 b 210.76.128.36,1021 -> 210.76.128.37,1023 PR tcp len 20 48 -AS
IN
Jan 6 19:03:33 xkbqd07 ipmon[409]: 19:03:33.173761 lan0 @0:47 b 210.76.128.36,1021 -> 210.76.128.37,1023 PR tcp len 20 48 -AS
IN

When I NFS,log show:
=======================
Jan 6 19:04:20 xkbqd07 ipmon[409]: 19:04:20.523790 lan0 @0:47 b 210.76.128.36,58229 -> 210.76.128.37,54030 PR udp len 20 52
IN
Jan 6 19:04:35 xkbqd07 ipmon[409]: 19:04:35.523799 lan0 @0:47 b 210.76.128.36,58229 -> 210.76.128.37,54031 PR udp len 20 60
IN

I think, NFS&remsh all need more handshaking session and I just miss something, don't I ?

Re: IPFilter disenables my services?

SeaMark_1 — Thu, 06 Jan 2005 08:52:47 GMT

After I changed "pass out all" to "pass out proto tcp/udp all keep state", I can mount a NFS filesystem on it and remsh a remshd server.

But manipulation in reverse direction is N/A.
The server can't BE mounted by others clinets using NFS. Remsh, too.
:-)

Re: IPFilter disenables my services?

Steven E. Protter — Thu, 06 Jan 2005 09:02:49 GMT

Your last configuration has your firewall doing you very little good.

NFS needs to use a random higher port number so its nearly impossible to get working through the ipfilter firewall. I recall that Version 4 of NFS might actually deal with that issue.

Also rlogin and remesh are not secure services. They transmit authentication in clear text.

You could get this working in a secure fashion by migrationg to Secure Shell.

Then you open up port 22 and you have less chance of your root password getting intercepted.

http://software.hp.com/portal/swdepot/displayProductInfo.do?productNumber=T1471AA

As far as the actual configuration goes, I would do the following:

Start over.

Block everything and then only open up he specific ports you need to do this work.

These files are read top to bottom.

If you block everything at the top and then want to allow certain ports to pass through they won't. You need to specify the ports you are allowing first.

The quandry is you are tyring to use a security tool to allow access to the least secure services on Unix.

sEP

Re: IPFilter disenables my services?

Biswajit Tripathy — Thu, 06 Jan 2005 13:51:06 GMT

> After I changed "pass out all" to "pass out
> proto tcp/udp all keep state", I can mount
> a NFS filesystem on it and remsh a remshd
> server.

If you are going to change "pass out all" to
"pass out proto tcp/udp all keep state", you
don't need any of the other out-going rules
as this single rule can allow all the outgoing traffic (if that's what you want
to do).

As Steve already said, NFS uses random high
port numbers, so you have a problem there.
Only solution to this would be to determine
which machines are trusted enough to be
granted NFS access and add "quick" rules
to the top of your rule lists to allow all
access (IN and OUT) to these machines.

I would probably start over again, write all
the "quick" rules at the top (as rule scan
is from top to bottom, "quick" rules at top
saves time).

Finally, there is no point using rules for
loopback interface as IPFilter is a streams
modules between IP and DLPI and the loopback
traffic typically does not go below IP
(unless it is configured to do so).

- Biswajit

Re: IPFilter disenables my services?

SeaMark_1 — Thu, 06 Jan 2005 22:30:51 GMT

Hi, Thanks in the first place.

You two are right !

I ought to reconsider the whole security policy and configuration of IPFilter.

:-)

Re: IPFilter disenables my services?

Biswajit Tripathy — Thu, 06 Jan 2005 22:46:19 GMT

Don't forget to read these first, if you have not
done so already:

http://www.docs.hp.com/en/B9901-90021/index.html

- Biswajit