topic Re: ipf, ssh and gateway problem in Operating System - HP-UX

ipf, ssh and gateway problem

F. X. de Montgolfier — Thu, 17 Jul 2003 14:27:18 GMT

Hi,

I have a hp-up 11.11 box, with SSH and IPF installed.

When IP filtering is disabled, everything works fine.
When connecting a laptop directly to the lan interface, everything works fine.

Our box is directly connected to a router, which uses two nodes, IP XXX.XXX.XXX.124 and XXX.XXX.XXX.125, with a shared virtual IP of XXX.XXX.XXX.126 (I don't remember the addresses by heart). The virtual address is the default route gateway.When launching IP filtering and trying to connect from beyond the gateway of the default route, no SSH connexion is possible.

a relevant excerpt of the ipf.conf file is attached. Can anybody tell me what mistake was done on the config file, or, alternatively, what patch to use to solve the problem?

For info, here is the result of swlist on my box:
# swlist
# Initializing...
# Contacting target "XXXXX"...
#
# Target: XXXXX:/
#

#
# Bundle(s):
#

B2491BA B.11.11 MirrorDisk/UX
B5725AA B.4.3.94 HP-UX Installation Utilities (Ignite-UX)
B9901AA A.03.05.05 HP IPFilter 3.5alpha5
BUNDLE11i B.11.11.0102.2 Required Patch Bundle for HP-UX 11i, February 2001
Base-VXVM B.03.50.5 Base VERITAS Volume Manager Bundle 3.5 for HP-UX
CDE-English B.11.11 English CDE Environment
FDDI-00 B.11.11.02 PCI FDDI;Supptd HW=A3739A/A3739B;SW=J3626AA
FEATURE11-11 B.11.11.0209.5 Feature Enablement Patches for HP-UX 11i, Sept 2002
FibrChanl-00 B.11.11.09 PCI/HSC FibreChannel;Supptd HW=A6684A,A6685A,A5158A,A6795A
GOLDAPPS11i B.11.11.0212.4 Gold Applications Patches for HP-UX 11i, December 2002
GOLDBASE11i B.11.11.0212.4 Gold Base Patches for HP-UX 11i, December 2002
GigEther-00 B.11.11.14 PCI/HSC GigEther;Supptd HW=A4926A/A4929A/A4924A/A4925A;SW=J1642AA
GigEther-01 B.11.11.07 PCI GigEther;Supptd HW=A6794A/A6825A/A6847A
HPUX11i-OE B.11.11.0303 HP-UX 11i Operating Environment Component
HPUXBase64 B.11.11 HP-UX 64-bit Base OS
HPUXBaseAux B.11.11.0303 HP-UX Base OS Auxiliary
HWEnable11i B.11.11.0303.4 Hardware Enablement Patches for HP-UX 11i, March 2003
IEther-00 B.11.11.03 PCI Ethernet;Supptd HW=A6974A
OnlineDiag B.11.11.10.11 HPUX 11.11 Support Tools Bundle, Mar 2003
RAID-00 B.11.11.01 PCI RAID; Supptd HW=A5856A
T1471AA A.03.50.000 HP-UX Secure Shell
perl B.5.6.1.C Perl Programming Language
#
# Product(s) not contained in a Bundle:
#

PHNE_25642 1.0 cumulative ARPA Transport patch
#

Cheers,

FiX

Re: ipf, ssh and gateway problem

Tyler Easterling — Fri, 18 Jul 2003 16:34:59 GMT

Hi FiX,

This does seem odd, it appears to me that the ssh rules are valid. Just a note, on HP-UX you don't need the loopback rules.

It would be helpful to see the log entries for blocked packets in the syslog under "ipmon". You might also log the block out rule for debugging purposes.

Also, as a debugging technique run:
# ipfstat -hio
This command should tell you which rule in your ruleset is actually blocking request.

Tyler

Re: ipf, ssh and gateway problem

Steven E. Protter — Fri, 18 Jul 2003 16:37:38 GMT

Frist thing you need to do is determine the cause of the problem.

Shut down IPF and re-test.

If the problem goes away, you're sure its an IPF rules issue and can concentrate your efforts there.

SEP

Re: ipf, ssh and gateway problem

Steven Sim Kok Leong — Sat, 19 Jul 2003 23:24:03 GMT

Hi,

I am more familiar with iptables than with ipfilter used by HP-UX but I believe the sequencing of rules should follow the same.

In your filter inbound rules, you have a default block everything rule before your SSH access rules. When these rules are stepped through, the block rule will take precedence since it is checked first. Thus, you should shift the block rule all the way below right to the end after your SSH access rules as well as other inbound access rules.

Hope this helps. Regards.

Steven Sim Kok Leong

Re: ipf, ssh and gateway problem

F. X. de Montgolfier — Mon, 21 Jul 2003 08:12:43 GMT

Hi and thanks for the answers,

the problem was in fact due to the outbound rules: we blocked all outgoing traffic per default, and the blocking was far too wide. By copying the inbound rules as outbound rules, we managed to get access.

FiX

Re: ipf, ssh and gateway problem

George Otepka — Mon, 28 Jul 2003 12:08:41 GMT

I have the similar configuration
but after instalation IP Filter v3.5alpha5
from B99011AA.depot ver A.03.05.07
on the HPUX B.11.11
ipmon do not log
to the /var/adm/syslog/syslog.log
the rule is:
block in log level auth.info all

after reboot ipmon is not worked.
after /sbin/init.d/ipfboot stop and then start
ipmon is worked.
the ipfilter seems to be working but no loggin

did you have some problems with ipf???
or help me? I am doing some mistake and
cannot see where

Thank you otepka

otepka@utb.cz

Re: ipf, ssh and gateway problem

F. X. de Montgolfier — Tue, 29 Jul 2003 13:45:54 GMT

Otepka,

you seem to have a newer version than I do: my version is A.03.05.05, and you say you have A.03.05.07. Your problem may be version-specific.

Howver, although I am not a security specialist and did not try to set Level blocking, are you sure that your rule is correct?
You say: "block in log level auth.info all"
I was under the impression that it should be "block in log level auth.info info on all"
Are you sure that you can dispense from giving the interface name?

Hope this helps,

FiX

Re: ipf, ssh and gateway problem

George Otepka — Thu, 31 Jul 2003 04:46:07 GMT

F.X. de Montgolfier,

as I can see You are using IP Filter
ver. A.03.05.05 withouth problems.
One question?=
after reboot the machine the ipmon is working?
or are you usually start it by hand???
Please would You be so kind if it is possible? and send me
the /sbin/init.d/ipfboot
and /sbin/init.d/pfilboot
and /opt/ipf/bin/ipmon

to my e-mail: otepka@utb.cz

It seems to be the ipmon -sD is not work properly in ver. A.03.05.07?

Thank You very much
George

Re: ipf, ssh and gateway problem

George Otepka — Thu, 31 Jul 2003 04:47:23 GMT

Re: ipf, ssh and gateway problem

George Otepka — Thu, 31 Jul 2003 04:48:05 GMT