topic Re: IPFilter block all the traffic in Operating System - HP-UX

IPFilter block all the traffic

sistemas unix_1 — Wed, 11 Jan 2006 06:56:14 GMT

Hello and good morning

The first thing, sorry for my poor english (I am spanish).
Now the problem that have me crazy.

root@admorum:/> uname -a
HP-UX admorum B.11.11 U 9000/800 526726591 unlimited-user license

root@admorum:/> uptime
11:31am up 2 hrs, 2 users, load average: 0.94, 1.13, 1.48

top
-----
Memory: 1009696K (672316K) real, 1927116K (1538036K) virtual, 32588K free
----

Everything ok, the box run very well, the problem is when I install IPFilter.
With the following rules the firewall go ok.

------------------------------------
pass in quick on lan0 proto tcp from any to admorum/32 port = 22 keep state
block in quick on lan0 proto tcp from any to admorum/32 port = 23
pass in quick on lan0 proto tcp from 10.2.2.2/32 to admorum/32 port = 25 keep state
pass out quick on lan0 proto udp from any to any port = 53 keep state
...

-----------------------------------

The firewall block the ports and pass the rules perfect.
The problem is when I add the following rules at the end of file:
------------------------
block in on lan0 all
block out on lan0 all
------------------------
(Too do the same, if I add only one rule at the end of file, as much "block in ..."
as "block out ...")

Then, ipfilter block all the ports(traffic inbound and outbound), even all connections stablished.
I have to enter by lan console and desactive the firewall (ipf -Fa).

I look into logs and does not appear nothing interesting.

I think that the box have all the patches installed correctly (I have installed ipfilter
in other box and work fine ) and I am lose with this subject.

In conclusion, I cann't block the remaining ports as much inbound as outbound. :(

Any help will be appreciated.

Cheers and regards.

Re: IPFilter block all the traffic

Peter Godron — Wed, 11 Jan 2006 08:09:36 GMT

Hi,
have read the documents at:
http://www.docs.hp.com/en/B9901-90021/index.html
I would go back to the start and disable one port at a time and re-test each step.

Re: IPFilter block all the traffic

sistemas unix_1 — Wed, 11 Jan 2006 08:18:40 GMT

[root@akira root]# hping -S -c 1 admorum -p 22
HPING admorum (eth0 192.168.X.X): S set, 40 headers + 0 data bytes

--- admorum hping statistic ---
1 packets tramitted, 0 packets received, 100% packet loss
round-trip min/avg/max = 0.0/0.0/0.0 ms

[root@akira root]# hping -A -c 1 admorum -p 22
HPING admorum (eth0 192.168.X.X): A set, 40 headers + 0 data bytes
len=46 ip=192.168.X.X ttl=64 id=27196 sport=22 flags=RA seq=0 win=512 rtt=45.6 ms

--- admorum hping statistic ---
1 packets tramitted, 1 packets received, 0% packet loss
round-trip min/avg/max = 45.6/45.6/45.6 ms

[root@akira root]# hping -X -c 1 admorum -p 22
HPING admorum (eth0 192.168.X.X): X set, 40 headers + 0 data bytes
len=46 ip=192.168.X.X ttl=64 id=10344 sport=22 flags=RAX seq=0 win=512 rtt=34.8 ms

--- admorum hping statistic ---
1 packets tramitted, 1 packets received, 0% packet loss
round-trip min/avg/max = 34.8/34.8/34.8 ms

ipfstat -io let me see alright all rules.
ipfstat -sl

--------------------------------------------

10.240.X.X -> 192.168.X.X ttl 32576 pass 0x500a pr 6 state 2/0
pkts 1 bytes 60 2083 -> 22 c5b4b48a:0 5840:5840
cmsk 0000 smsk 0000 isc 0000000000000000 s0 0/0
sbuf[0] [\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0] sbuf[1] [\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0]
pass in quick keep state IPv4
pkt_flags & 2(b2) = b, pkt_options & ffffffff = 0
pkt_security & ffff = 0, pkt_auth & ffff = 0
interfaces: in lan0[00000000429f1600] out -[0000000000000000]

--------------------------------------------

I tried adding the flag S and I recivied the same:
pass in quick on lan0 proto tcp from any to admorum/32 port = 22 flags S keep state

Looks like, that happens something rare with Syn.

Cheers

Re: IPFilter block all the traffic

sistemas unix_1 — Thu, 12 Jan 2006 13:31:14 GMT

I have resolved this subject.
The Syns was accepted but no return Syn/Ack was sent.In ipmon -a, can saw the STATE:NEW for the packet and the logs teach me that the connection have been passed.

The problem was in this two rules:
----------
block in all
block out all
----------

Finally I have proven with this equals rules and everything is allright:
----------------------
block in on lan0 from any to admorum/32 port > 1
block out on lan0 from admorum/32 to any port > 1
----------------------

I think seriously that it is a bug of ipfilter (its seems be a alpha).

Cheers

Re: IPFilter block all the traffic

John Payne_2 — Thu, 12 Jan 2006 16:32:58 GMT

IPFilter reads rules top to bottom. In my rules, the "block in all" rule is at the beginning of the file, followed by exceptions.

For example, the rules:

block in all
block in all
block in all
block in all
pass in all

Makes it so all traffic is passed in.

The 'quick' statement tells IPFilter to immediately process that rule if it applies.

I do not know why you would get to your origonal last 2 rules because you have the 'quick' setting earlier in the file.

Are you running a current version of IPFilter? Current is A.03.05.12.

Help it helps

John

Re: IPFilter block all the traffic

Steven E. Protter — Thu, 12 Jan 2006 18:04:25 GMT

Shalom,

1) Your English as a second language is WAY better than my Hebrew as a second language.

2) Ipfilter process rules top to bottom. Your last rules are overriding your first rules. The best idea is to put those block everything rules on top so that the later rules create acceptionts. This limits access very nicely.

SEP

Re: IPFilter block all the traffic

sistemas unix_1 — Fri, 13 Jan 2006 06:27:47 GMT

Hello

root@admorum:/root> ipf -V
ipf: HP IP Filter: v3.5alpha5 (A.03.05.12) (400)
Kernel: HP IP Filter: v3.5alpha5 (A.03.05.12)
Running: yes
Log Flags: 0 = none set
Default: pass all, Logging: available
Active list: 1

The following list are the patches that I have applied to the box:

PHKL_25728
PHKL_29708
PHKL_30032
PHKL_30033
PHKL_30035
PHKL_30036
PHKL_25389
PHKL_30516
PHKL_25729
PHKL_30034
PHKL_30036
PHKL_25233
PHKL_31091
PHKL_27094
PHKL_27093
PHKL_29696
PHKL_24253
PHKL_24254
PHKL_24255
PHKL_24256
PHKL_33408
PHKL_29704
PHNE_25084
PHNE_31091
PHNE_25388
PHNE_31091
PHNE_33159
PHNE_33628
PHCO_30275

Cheers and thanks you.

Re: IPFilter block all the traffic

Florian Heigl (new acc) — Fri, 13 Jan 2006 08:33:17 GMT

The block in all can't override a pass in quick, unless it's in effect first.

I remember I had to extend the flags quite a bit like flags F/SRA or something - I can't look it up for Your as my hp9000's boot disk failed and I have no time for replacing it.