Hewlett Packard Enterprise Community
Help
cancel
Turn on suggestions Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

IPFilter block all the traffic

sistemas unix_1
Advisor
‎01-10-2006 10:56 PM
‎01-10-2006 10:56 PM

IPFilter block all the traffic

Hello and good morning

The first thing, sorry for my poor english (I am spanish).
Now the problem that have me crazy.

root@admorum:/> uname -a
HP-UX admorum B.11.11 U 9000/800 526726591 unlimited-user license

root@admorum:/> uptime
11:31am up 2 hrs, 2 users, load average: 0.94, 1.13, 1.48

top
-----
Memory: 1009696K (672316K) real, 1927116K (1538036K) virtual, 32588K free
----

Everything ok, the box run very well, the problem is when I install IPFilter.
With the following rules the firewall go ok.

------------------------------------
pass in quick on lan0 proto tcp from any to admorum/32 port = 22 keep state
block in quick on lan0 proto tcp from any to admorum/32 port = 23
pass in quick on lan0 proto tcp from 10.2.2.2/32 to admorum/32 port = 25 keep state
pass out quick on lan0 proto udp from any to any port = 53 keep state
...

-----------------------------------

The firewall block the ports and pass the rules perfect.
The problem is when I add the following rules at the end of file:
------------------------
block in on lan0 all
block out on lan0 all
------------------------
(Too do the same, if I add only one rule at the end of file, as much "block in ..."
as "block out ...")

Then, ipfilter block all the ports(traffic inbound and outbound), even all connections stablished.
I have to enter by lan console and desactive the firewall (ipf -Fa).

I look into logs and does not appear nothing interesting.

I think that the box have all the patches installed correctly (I have installed ipfilter
in other box and work fine ) and I am lose with this subject.


In conclusion, I cann't block the remaining ports as much inbound as outbound. :(


Any help will be appreciated.

Cheers and regards.
0 Kudos
Reply
7 REPLIES 7
Peter Godron
Honored Contributor
‎01-11-2006 12:09 AM
‎01-11-2006 12:09 AM

Re: IPFilter block all the traffic

Message contains a hyperlink
Hi,
have read the documents at:
http://www.docs.hp.com/en/B9901-90021/index.html
I would go back to the start and disable one port at a time and re-test each step.
0 Kudos
Reply
sistemas unix_1
Advisor
‎01-11-2006 12:18 AM
‎01-11-2006 12:18 AM

Re: IPFilter block all the traffic

[root@akira root]# hping -S -c 1 admorum -p 22
HPING admorum (eth0 192.168.X.X): S set, 40 headers + 0 data bytes

--- admorum hping statistic ---
1 packets tramitted, 0 packets received, 100% packet loss
round-trip min/avg/max = 0.0/0.0/0.0 ms

[root@akira root]# hping -A -c 1 admorum -p 22
HPING admorum (eth0 192.168.X.X): A set, 40 headers + 0 data bytes
len=46 ip=192.168.X.X ttl=64 id=27196 sport=22 flags=RA seq=0 win=512 rtt=45.6 ms

--- admorum hping statistic ---
1 packets tramitted, 1 packets received, 0% packet loss
round-trip min/avg/max = 45.6/45.6/45.6 ms

[root@akira root]# hping -X -c 1 admorum -p 22
HPING admorum (eth0 192.168.X.X): X set, 40 headers + 0 data bytes
len=46 ip=192.168.X.X ttl=64 id=10344 sport=22 flags=RAX seq=0 win=512 rtt=34.8 ms

--- admorum hping statistic ---
1 packets tramitted, 1 packets received, 0% packet loss
round-trip min/avg/max = 34.8/34.8/34.8 ms


ipfstat -io let me see alright all rules.
ipfstat -sl

--------------------------------------------

10.240.X.X -> 192.168.X.X ttl 32576 pass 0x500a pr 6 state 2/0
pkts 1 bytes 60 2083 -> 22 c5b4b48a:0 5840:5840
cmsk 0000 smsk 0000 isc 0000000000000000 s0 0/0
sbuf[0] [\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0] sbuf[1] [\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0]
pass in quick keep state IPv4
pkt_flags & 2(b2) = b, pkt_options & ffffffff = 0
pkt_security & ffff = 0, pkt_auth & ffff = 0
interfaces: in lan0[00000000429f1600] out -[0000000000000000]


--------------------------------------------

I tried adding the flag S and I recivied the same:
pass in quick on lan0 proto tcp from any to admorum/32 port = 22 flags S keep state

Looks like, that happens something rare with Syn.

Cheers
0 Kudos
Reply
sistemas unix_1
Advisor
‎01-12-2006 05:31 AM
‎01-12-2006 05:31 AM

Re: IPFilter block all the traffic

I have resolved this subject.
The Syns was accepted but no return Syn/Ack was sent.In ipmon -a, can saw the STATE:NEW for the packet and the logs teach me that the connection have been passed.

The problem was in this two rules:
----------
block in all
block out all
----------

Finally I have proven with this equals rules and everything is allright:
----------------------
block in on lan0 from any to admorum/32 port > 1
block out on lan0 from admorum/32 to any port > 1
----------------------

I think seriously that it is a bug of ipfilter (its seems be a alpha).


Cheers
0 Kudos
Reply
John Payne_2
Honored Contributor
‎01-12-2006 08:32 AM
‎01-12-2006 08:32 AM

Re: IPFilter block all the traffic

IPFilter reads rules top to bottom. In my rules, the "block in all" rule is at the beginning of the file, followed by exceptions.

For example, the rules:

block in all
block in all
block in all
block in all
pass in all

Makes it so all traffic is passed in.

The 'quick' statement tells IPFilter to immediately process that rule if it applies.

I do not know why you would get to your origonal last 2 rules because you have the 'quick' setting earlier in the file.

Are you running a current version of IPFilter? Current is A.03.05.12.

Help it helps

John
Spoon!!!!
0 Kudos
Reply
Steven E. Protter
Exalted Contributor
‎01-12-2006 10:04 AM
‎01-12-2006 10:04 AM

Re: IPFilter block all the traffic

Shalom,

1) Your English as a second language is WAY better than my Hebrew as a second language.

2) Ipfilter process rules top to bottom. Your last rules are overriding your first rules. The best idea is to put those block everything rules on top so that the later rules create acceptionts. This limits access very nicely.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Reply
sistemas unix_1
Advisor
‎01-12-2006 10:27 PM
‎01-12-2006 10:27 PM

Re: IPFilter block all the traffic

Hello


root@admorum:/root> ipf -V
ipf: HP IP Filter: v3.5alpha5 (A.03.05.12) (400)
Kernel: HP IP Filter: v3.5alpha5 (A.03.05.12)
Running: yes
Log Flags: 0 = none set
Default: pass all, Logging: available
Active list: 1


The following list are the patches that I have applied to the box:

PHKL_25728
PHKL_29708
PHKL_30032
PHKL_30033
PHKL_30035
PHKL_30036
PHKL_25389
PHKL_30516
PHKL_25729
PHKL_30034
PHKL_30036
PHKL_25233
PHKL_31091
PHKL_27094
PHKL_27093
PHKL_29696
PHKL_24253
PHKL_24254
PHKL_24255
PHKL_24256
PHKL_33408
PHKL_29704
PHNE_25084
PHNE_31091
PHNE_25388
PHNE_31091
PHNE_33159
PHNE_33628
PHCO_30275


Cheers and thanks you.
0 Kudos
Reply
Florian Heigl (new acc)
Honored Contributor
‎01-13-2006 12:33 AM
‎01-13-2006 12:33 AM

Re: IPFilter block all the traffic

The block in all can't override a pass in quick, unless it's in effect first.

I remember I had to extend the flags quite a bit like flags F/SRA or something - I can't look it up for Your as my hp9000's boot disk failed and I have no time for replacing it.

yesterday I stood at the edge. Today I'm one step ahead.
0 Kudos
Reply