HPE Community
Operating System - HP-UX
1829101 Members
2295 Online
109986 Solutions
New Discussion

ipf, ssh and gateway problem

 
F. X. de Montgolfier
Valued Contributor

‎07-17-2003 07:27 AM

‎07-17-2003 07:27 AM

ipf, ssh and gateway problem

Hi,

I have a hp-up 11.11 box, with SSH and IPF installed.

When IP filtering is disabled, everything works fine.
When connecting a laptop directly to the lan interface, everything works fine.


Our box is directly connected to a router, which uses two nodes, IP XXX.XXX.XXX.124 and XXX.XXX.XXX.125, with a shared virtual IP of XXX.XXX.XXX.126 (I don't remember the addresses by heart). The virtual address is the default route gateway.When launching IP filtering and trying to connect from beyond the gateway of the default route, no SSH connexion is possible.

a relevant excerpt of the ipf.conf file is attached. Can anybody tell me what mistake was done on the config file, or, alternatively, what patch to use to solve the problem?

For info, here is the result of swlist on my box:
# swlist
# Initializing...
# Contacting target "XXXXX"...
#
# Target: XXXXX:/
#

#
# Bundle(s):
#

B2491BA B.11.11 MirrorDisk/UX
B5725AA B.4.3.94 HP-UX Installation Utilities (Ignite-UX)
B9901AA A.03.05.05 HP IPFilter 3.5alpha5
BUNDLE11i B.11.11.0102.2 Required Patch Bundle for HP-UX 11i, February 2001
Base-VXVM B.03.50.5 Base VERITAS Volume Manager Bundle 3.5 for HP-UX
CDE-English B.11.11 English CDE Environment
FDDI-00 B.11.11.02 PCI FDDI;Supptd HW=A3739A/A3739B;SW=J3626AA
FEATURE11-11 B.11.11.0209.5 Feature Enablement Patches for HP-UX 11i, Sept 2002
FibrChanl-00 B.11.11.09 PCI/HSC FibreChannel;Supptd HW=A6684A,A6685A,A5158A,A6795A
GOLDAPPS11i B.11.11.0212.4 Gold Applications Patches for HP-UX 11i, December 2002
GOLDBASE11i B.11.11.0212.4 Gold Base Patches for HP-UX 11i, December 2002
GigEther-00 B.11.11.14 PCI/HSC GigEther;Supptd HW=A4926A/A4929A/A4924A/A4925A;SW=J1642AA
GigEther-01 B.11.11.07 PCI GigEther;Supptd HW=A6794A/A6825A/A6847A
HPUX11i-OE B.11.11.0303 HP-UX 11i Operating Environment Component
HPUXBase64 B.11.11 HP-UX 64-bit Base OS
HPUXBaseAux B.11.11.0303 HP-UX Base OS Auxiliary
HWEnable11i B.11.11.0303.4 Hardware Enablement Patches for HP-UX 11i, March 2003
IEther-00 B.11.11.03 PCI Ethernet;Supptd HW=A6974A
OnlineDiag B.11.11.10.11 HPUX 11.11 Support Tools Bundle, Mar 2003
RAID-00 B.11.11.01 PCI RAID; Supptd HW=A5856A
T1471AA A.03.50.000 HP-UX Secure Shell
perl B.5.6.1.C Perl Programming Language
#
# Product(s) not contained in a Bundle:
#

PHNE_25642 1.0 cumulative ARPA Transport patch
#

Cheers,

FiX
0 Kudos
Reply
9 REPLIES 9
Tyler Easterling
Advisor

‎07-18-2003 09:34 AM

‎07-18-2003 09:34 AM

Re: ipf, ssh and gateway problem

Hi FiX,

This does seem odd, it appears to me that the ssh rules are valid. Just a note, on HP-UX you don't need the loopback rules.

It would be helpful to see the log entries for blocked packets in the syslog under "ipmon". You might also log the block out rule for debugging purposes.

Also, as a debugging technique run:
# ipfstat -hio
This command should tell you which rule in your ruleset is actually blocking request.

Tyler
0 Kudos
Reply
Steven E. Protter
Exalted Contributor

‎07-18-2003 09:37 AM

‎07-18-2003 09:37 AM

Re: ipf, ssh and gateway problem

Frist thing you need to do is determine the cause of the problem.

Shut down IPF and re-test.

If the problem goes away, you're sure its an IPF rules issue and can concentrate your efforts there.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Reply
Steven Sim Kok Leong
Honored Contributor

‎07-19-2003 04:24 PM

‎07-19-2003 04:24 PM

Re: ipf, ssh and gateway problem

Hi,

I am more familiar with iptables than with ipfilter used by HP-UX but I believe the sequencing of rules should follow the same.

In your filter inbound rules, you have a default block everything rule before your SSH access rules. When these rules are stepped through, the block rule will take precedence since it is checked first. Thus, you should shift the block rule all the way below right to the end after your SSH access rules as well as other inbound access rules.

Hope this helps. Regards.

Steven Sim Kok Leong
0 Kudos
Reply
F. X. de Montgolfier
Valued Contributor

‎07-21-2003 01:12 AM

‎07-21-2003 01:12 AM

Re: ipf, ssh and gateway problem

Hi and thanks for the answers,

the problem was in fact due to the outbound rules: we blocked all outgoing traffic per default, and the blocking was far too wide. By copying the inbound rules as outbound rules, we managed to get access.

FiX
0 Kudos
Reply
George Otepka
Occasional Advisor

‎07-28-2003 05:08 AM

‎07-28-2003 05:08 AM

Re: ipf, ssh and gateway problem

I have the similar configuration
but after instalation IP Filter v3.5alpha5
from B99011AA.depot ver A.03.05.07
on the HPUX B.11.11
ipmon do not log
to the /var/adm/syslog/syslog.log
the rule is:
block in log level auth.info all

after reboot ipmon is not worked.
after /sbin/init.d/ipfboot stop and then start
ipmon is worked.
the ipfilter seems to be working but no loggin

did you have some problems with ipf???
or help me? I am doing some mistake and
cannot see where

Thank you otepka

otepka@utb.cz
0 Kudos
Reply
F. X. de Montgolfier
Valued Contributor

‎07-29-2003 06:45 AM

‎07-29-2003 06:45 AM

Re: ipf, ssh and gateway problem

Otepka,

you seem to have a newer version than I do: my version is A.03.05.05, and you say you have A.03.05.07. Your problem may be version-specific.

Howver, although I am not a security specialist and did not try to set Level blocking, are you sure that your rule is correct?
You say: "block in log level auth.info all"
I was under the impression that it should be "block in log level auth.info info on all"
Are you sure that you can dispense from giving the interface name?

Hope this helps,

FiX
0 Kudos
Reply
George Otepka
Occasional Advisor

‎07-30-2003 09:46 PM

‎07-30-2003 09:46 PM

Re: ipf, ssh and gateway problem

F.X. de Montgolfier,

as I can see You are using IP Filter
ver. A.03.05.05 withouth problems.
One question?=
after reboot the machine the ipmon is working?
or are you usually start it by hand???
Please would You be so kind if it is possible? and send me
the /sbin/init.d/ipfboot
and /sbin/init.d/pfilboot
and /opt/ipf/bin/ipmon

to my e-mail: otepka@utb.cz

It seems to be the ipmon -sD is not work properly in ver. A.03.05.07?

Thank You very much
George
0 Kudos
Reply
George Otepka
Occasional Advisor

‎07-30-2003 09:47 PM

‎07-30-2003 09:47 PM

Re: ipf, ssh and gateway problem

F.X. de Montgolfier,

as I can see You are using IP Filter
ver. A.03.05.05 withouth problems.
One question?=
after reboot the machine the ipmon is working?
or are you usually start it by hand???
Please would You be so kind if it is possible? and send me
the /sbin/init.d/ipfboot
and /sbin/init.d/pfilboot
and /opt/ipf/bin/ipmon

to my e-mail: otepka@utb.cz

It seems to be the ipmon -sD is not work properly in ver. A.03.05.07?

Thank You very much
George
0 Kudos
Reply
George Otepka
Occasional Advisor

‎07-30-2003 09:48 PM

‎07-30-2003 09:48 PM

Re: ipf, ssh and gateway problem

F.X. de Montgolfier,

as I can see You are using IP Filter
ver. A.03.05.05 withouth problems.
One question?=
after reboot the machine the ipmon is working?
or are you usually start it by hand???
Please would You be so kind if it is possible? and send me
the /sbin/init.d/ipfboot
and /sbin/init.d/pfilboot
and /opt/ipf/bin/ipmon

to my e-mail: otepka@utb.cz

It seems to be the ipmon -sD is not work properly in ver. A.03.05.07?

Thank You very much
George
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.