topic Re: Simple rules for ipfilter in Operating System - HP-UX

Simple rules for ipfilter

Fedon Kadifeli — Wed, 16 Aug 2006 03:53:02 GMT

I recently installed ipfilter to an HP-UX 11.00 box. The latest version is "A.03.05.12 HP IPFilter 3.5alpha5"; what does the string "alpha5" mean? Is this an alpha version?

I simply want to restrict accesses made on some port (everything else should run as if ipfilter is not present). This TCP port should be accessed from only one host and every (successful or not) connection attempt should be logged.

Which is the most efficient ruleset to do this?

I tried the following:

block in log proto tcp from any to any port = 23 flags S/SA
pass in log proto tcp from 10.16.66.13/32 to any port = 23 flags S/SA

Is this enough? Do you have anyhing to comment on these two lines?

Re: Simple rules for ipfilter

Fedon Kadifeli — Thu, 17 Aug 2006 01:04:15 GMT

Any comments?

Re: Simple rules for ipfilter

Steven E. Protter — Thu, 17 Aug 2006 01:20:14 GMT

Shalom,

Normally alpha5 means pre-beta.

It does not in this case as I used this release for some months and got production quality service out of it.

Your code blocks all telnet except from the network/ip combination in the line listed right below.

I don't know what the flags mean, nor do I think they are needed.

SEP

Re: Simple rules for ipfilter

Peter Sedivy — Wed, 23 Aug 2006 15:30:26 GMT

Hi,

> block in log proto tcp from any to any port = 23 flags S/SA
you are going to BLOCK and LOG all INcoming traffic regardless on interface, over TCP protocol FROM ANY machine (even from your local network) TO ANY machine (if this box is router, or any local ip) on PORT 23, which is telnet service
> pass in log proto tcp from 10.16.66.13/32 to any port = 23 flags S/SA
here you are going to accept telnet traffic from one machine (10.16.66.13) to telnet port
flags, this is more complicated, you need to know basics from tcp proto communication.
S means SYN
SA is SYN+ACK
it has to do with statement filtering

Finally these two ruleset are not definitively enough. You didn't specify what to do with outgoing traffic.

Try to add this lines
------------------------
### lo0 - loopback
## allow all on loopback
##
pass in on lo0 all
pass out on lo0 all
#
pass in quick proto tcp from any to any port = 23 flags S keep state
block in log proto tcp from any to any port = 23

pass out quick on fxp0 proto tcp from any to any keep state
-----------------------
please remember, this rules are just about tcp protocol ...... so it is not enough to run ipfilter.

May be it will be G.O.O.D. idea to read this article.
http://www.obfuscation.org/ipf/ipf-howto.txt

Re: Simple rules for ipfilter

Fedon Kadifeli — Thu, 24 Aug 2006 09:32:26 GMT

Thank you Peter for the article you pointed to.

Reading the article I modified the rules somehow:

block return-rst in log proto tcp from any to any port = 23
pass in log proto tcp from 10.16.66.13/32 to any port = 23 flags S keep state keep frags

This is almost the same as my previous ruleset, and it works similarly.

However, I noticed something which I missed before.

Although this and my previous ruleset allows telnet connections from 10.16.66.13 only and no telnet from elsewhere, there is an important exception! Doing telnet from withing host (either using the machine's IP address or using "telnet localhost") is allowed!!! I tried to block this by adding other rules like:

block in log proto tcp/udp from 10.16.16.28/32 to 10.16.16.28/32

(here 10.16.16.28 is the address of the local machine), but I didn't succeed. I started to think that this is a bug in ipfilter!!!

My requirements are very simple:

* Allow telnet from 10.16.66.13 to 10.16.16.28
* Do NOT allow telnet from any other IP to 10.16.16.28
* Do NOT even allow telnet from the same host (10.16.16.28) to 10.16.16.28 (or 127.0.0.1)
* Everything else is allowed.

Is this so difficult to do?

Re: Simple rules for ipfilter

Peter Sedivy — Thu, 24 Aug 2006 10:39:49 GMT

Hello

hmmm, I think it will be f****g difficult, because:
any connection to your own IP or loopback address is done by kernel loopback and not via interface. so, IPFilter has nothing to do with this.

BTW, i don't understand why do you want to block your own connection...

Sincerely

Re: Simple rules for ipfilter

Fedon Kadifeli — Fri, 25 Aug 2006 05:43:56 GMT

Yes. You are right. Ipfilter does not seem to work on the loopback interface or on local connections made to the lan interface.

For example consider the following ruleset:

# ipfstat -io
block out log quick proto tcp from any to any port = 23
block in log quick proto tcp from any to any port = 23

Telnet to another host and telnet from another host is blocked. However telnet to the same host like:

telnet 10.16.2.107
and
telnet 127.0.0.1

is accepted!

# netstat -na | grep 23 | grep ESTA
tcp 0 0 10.16.2.107.64858 10.16.2.107.23 ESTABLISHED
tcp 0 0 127.0.0.1.64868 127.0.0.1.23 ESTABLISHED
tcp 0 0 10.16.2.107.23 10.16.2.107.64858 ESTABLISHED
tcp 0 0 127.0.0.1.23 127.0.0.1.64868 ESTABLISHED

Why I need to block local connections?

Assume there is a service on port 1234 which should only be accessed from a specific host (=IP). However the host running the service for 1234 is a host that allows terminal logins (telnet, ssh etc.). A logged-in user can run a program that will map local port 1234 to another port (5678) and access that
port from outside. The user does not have to run a special program; using the ssh "port forwarding" feature he/she can do this very easily!