topic NIC and Bastille problem in Operating System - HP-UX

NIC and Bastille problem

Francisco Díaz — Fri, 18 Mar 2005 12:03:20 GMT

Hi everyone. I have a problem very strangeful in my server. The NIC Cards (lan0 and lan1) don't work since I do install Bastille app in MANDMZ Mode (Managed DMZ config). Initially Bastille block all ports non-secure. First I logging on the server with ssh but at next day the ssh connection its down. The problem it's not the network cable, and it's not the switch port. I think it's the bastille configuration applied on the server, but I don't know how to comprobe this....

Anyone can help me??

Thanks in advanced.
Regards

Re: NIC and Bastille problem

Steven E. Protter — Fri, 18 Mar 2005 12:15:00 GMT

/sbin/init.d/ipfboot stop

Try connecting agan.

If it works, this proves that the setup of the ipfilter firewall is causing the problem.

Then look at the ipf.conf configuration to make changes to allow desired protocols through.

The configuration file is very English language like.

SEP

Re: NIC and Bastille problem

Biswajit Tripathy — Fri, 18 Mar 2005 13:39:40 GMT

Steven wrote:
> /sbin/init.d/ipfboot stop
> Try connecting agan.

Well, you don't have to go to that extreme :-)
Just run :
# /sbin/ipfstat -ioh

The output would tell you if there are any block rules
configured by IPFilter and if that rule is actually
blocking any traffic. You could post that output here
if you have problem interpreting (with IP addresses
censored, ofcourse).

- Biswajit

Re: NIC and Bastille problem

Francisco Díaz — Fri, 18 Mar 2005 13:43:56 GMT

Here is the output for the /sbin/ipfstat -ioh...

Can anyone help me??

Re: NIC and Bastille problem

Biswajit Tripathy — Fri, 18 Mar 2005 13:56:01 GMT

It appears to me that you ran "/sbin/ipfstat -ioh"
AFTER running "/sbin/init.d/ipfboot stop". If that's
what you did, the "ipfstat -ioh" output is useless.

Since you have already unloaded IPFilter, does your
system work fine now?

- Biswajit

Re: NIC and Bastille problem

Francisco Díaz — Fri, 18 Mar 2005 14:03:15 GMT

The /sbin/ipfstat -ioh run with the IPFilter service active.
The system without the IPFilter service dÃ³nÂ´t work.

The Ambiental temperature affect the lan interfaces of the system?? The air conditioned of the lab room its off for ten years

I have two ethernet connections and nothing of these work....

Franci

Re: NIC and Bastille problem

Biswajit Tripathy — Fri, 18 Mar 2005 14:35:03 GMT

Francisco wrote:
> The /sbin/ipfstat -ioh run with the IPFilter service
> active.

That's a little odd. Since all the rules (in ipfstat -ioh)
output has 0 at the left, this means IPFilter is not
seeing any traffic (in or out) at all. One thing is clear
though; your problem is not related to IPFilter.

- Biswajit

Re: NIC and Bastille problem

Francisco Díaz — Fri, 18 Mar 2005 17:00:54 GMT

Guys, the problem is bastille configuration... But these is not good for me, because I need to configure Bastille in a DMZ, with allow the ports 443/tcp (incoming), 22/tcp (incoming), 5555/tcp (incoming), 10000/tcp (incoming), 80/tcp (incoming), 20/tcp (outcoming), 21/tcp (outcoming), 53/tcp (outcoming), 2984/tcp (incoming), 2985/udp (incoming) and 514/udp (outcoming)....

Anyone can I help to configure bastille??

When I try to configure bastille manually in a text interface, appear a Error associated with "Curses.pm".

Where I can ger this library??

Thanks in advanced...

Francisco

Re: NIC and Bastille problem

Biswajit Tripathy — Fri, 18 Mar 2005 17:19:32 GMT

Francisco wrote:
> ..with allow the ports 443/tcp (incoming), 22/tcp
> (incoming), 5555/tcp (incoming), 10000/tcp
> (incoming), 80/tcp (incoming), 20/tcp
> (outcoming), 21/tcp (outcoming), 53/tcp
> (outcoming), 2984/tcp (incoming), 2985/udp
> (incoming) and 514/udp (outcoming)....

Add following rules at the TOP of
/etc/opf/ipf/ipf.conf file:

pass in quick proto tcp from any to any port = 443 flags S keep state keep frags
pass in quick proto tcp from any to any port = 22 flags S keep state keep frags
pass in quick proto tcp from any to any port = 5555 flags S keep state keep frags
pass in quick proto tcp from any to any port = 10000 flags S keep state keep frags
pass in quick proto tcp from any to any port = 80 flags S keep state keep frags
pass out quick proto tcp from any to any port = 20 flags S keep state keep frags
pass out quick proto tcp from any to any port = 21 flags S keep state keep frags
pass out quick proto tcp from any to any port = 53 flags S keep state keep frags
pass in quick proto tcp from any to any port = 2984 flags S keep state keep frags
pass in quick proto udp from any to any port = 2985
pass out quick proto udp from any port = 2985 to any
pass out quick proto udp from any to any port = 514
pass in quick proto udp from any port = 514 to any

WARNING : Test before use. Understand each rule
and make sure that's what you want to do. I have
not tried them, so there might be syntax errors in
them. Each rule should be in one line.

- Biswajit

Re: NIC and Bastille problem

Biswajit Tripathy — Fri, 18 Mar 2005 17:26:11 GMT

One more thing.
After you add the above rules to /etc/opt/ipf/ipf.conf
file, reload the IPFilter configuration by executing
following command:

# /sbin/ipf -Fa -f /etc/opt/ipf/ipf.conf

- Biswajit

Re: NIC and Bastille problem

Robert Fritz — Mon, 21 Mar 2005 12:43:44 GMT

Hi Fransico, I'm sorry you're having trouble.

The best description of the DMZ level is found here:
http://www.docs.hp.com/en/5990-6728/index.html

The ManDMZ level blocks all incoming except for a few protocols, as you saw in your ipfstat -ioh output. If you'd like a level that doesn't block traffic, that's the "host" level.

Re: Curses interface. That is only supported on Linux, not HP-UX. That's why you won't find the library. Bastille uses the X11 GUI, though you can create a configuration on a separate host if you don't can't run an x-window from the locked down system(with --os ) See bastille(1m) for details. The resulting configuration goes to /etc/opt/sec_mgmt/bastille/config That can be copied to the target system. This off-host configuration is rarely necessary for single-system configuration as ssh tunnels x-traffic quite nicely.

Biswajit gave a great rundown on how to add the ports you want to ipfilter. I'd add those to: /etc/opt/sec_mgmt/bastille/ipf.customrules, since that's the file bastille uses to add custom rules to ipfilter's configuration file. That way your ipf.conf changes won't get overwritten the next time you run bastille -b.

As you'd mentioned MANDMZ blocks most inbound ports. I *would* expect you to be able to ssh *from* the locked-down system in all cases.

The one behavior you mentioned that did surprise me was you'd said you can't log in with ssh.

Assuming for the moment that ipfilter and your ssh are running fine, here are the MANDMZ settings that might prevent login (or ftp), depending on security issues present on your system:

# Q: Do not allow logins unless the home directory exists
# Q: Should non-root users be disallowed from logging in if /etc/nologin exists?
# Q: Would you like to disallow ftpd system account logins?

Note that to remove Bastille's configuration automatically, use bastille -r. You can then reapply a configuration or create a custom one. To avoid confusion, we made sure Bastille only tightened a system when "-r" isn't used.

Hope that helped,
-Robert