HPE Community
Operating System - HP-UX
1846813 Members
8604 Online
110256 Solutions
New Discussion

NIC and Bastille problem

 
Francisco Díaz
Occasional Advisor

‎03-18-2005 04:03 AM

‎03-18-2005 04:03 AM

NIC and Bastille problem

Hi everyone. I have a problem very strangeful in my server. The NIC Cards (lan0 and lan1) don't work since I do install Bastille app in MANDMZ Mode (Managed DMZ config). Initially Bastille block all ports non-secure. First I logging on the server with ssh but at next day the ssh connection its down. The problem it's not the network cable, and it's not the switch port. I think it's the bastille configuration applied on the server, but I don't know how to comprobe this....

Anyone can help me??

Thanks in advanced.
Regards
0 Kudos
Reply
10 REPLIES 10
Steven E. Protter
Exalted Contributor

‎03-18-2005 04:15 AM

‎03-18-2005 04:15 AM

Re: NIC and Bastille problem

/sbin/init.d/ipfboot stop

Try connecting agan.

If it works, this proves that the setup of the ipfilter firewall is causing the problem.

Then look at the ipf.conf configuration to make changes to allow desired protocols through.

The configuration file is very English language like.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Reply
Biswajit Tripathy
Honored Contributor

‎03-18-2005 05:39 AM

‎03-18-2005 05:39 AM

Re: NIC and Bastille problem

Steven wrote:
> /sbin/init.d/ipfboot stop
> Try connecting agan.

Well, you don't have to go to that extreme :-)
Just run :
# /sbin/ipfstat -ioh

The output would tell you if there are any block rules
configured by IPFilter and if that rule is actually
blocking any traffic. You could post that output here
if you have problem interpreting (with IP addresses
censored, ofcourse).

- Biswajit
:-)
0 Kudos
Reply
Francisco Díaz
Occasional Advisor

‎03-18-2005 05:43 AM

‎03-18-2005 05:43 AM

Re: NIC and Bastille problem

Here is the output for the /sbin/ipfstat -ioh...

Can anyone help me??

0 Kudos
Reply
Biswajit Tripathy
Honored Contributor

‎03-18-2005 05:56 AM

‎03-18-2005 05:56 AM

Re: NIC and Bastille problem

It appears to me that you ran "/sbin/ipfstat -ioh"
AFTER running "/sbin/init.d/ipfboot stop". If that's
what you did, the "ipfstat -ioh" output is useless.

Since you have already unloaded IPFilter, does your
system work fine now?

- Biswajit
:-)
0 Kudos
Reply
Francisco Díaz
Occasional Advisor

‎03-18-2005 06:03 AM

‎03-18-2005 06:03 AM

Re: NIC and Bastille problem

The /sbin/ipfstat -ioh run with the IPFilter service active.
The system without the IPFilter service dón´t work.

The Ambiental temperature affect the lan interfaces of the system?? The air conditioned of the lab room its off for ten years

I have two ethernet connections and nothing of these work....

Franci
0 Kudos
Reply
Biswajit Tripathy
Honored Contributor

‎03-18-2005 06:35 AM

‎03-18-2005 06:35 AM

Re: NIC and Bastille problem

Francisco wrote:
> The /sbin/ipfstat -ioh run with the IPFilter service
> active.

That's a little odd. Since all the rules (in ipfstat -ioh)
output has 0 at the left, this means IPFilter is not
seeing any traffic (in or out) at all. One thing is clear
though; your problem is not related to IPFilter.

- Biswajit

:-)
0 Kudos
Reply
Francisco Díaz
Occasional Advisor

‎03-18-2005 09:00 AM

‎03-18-2005 09:00 AM

Re: NIC and Bastille problem

Guys, the problem is bastille configuration... But these is not good for me, because I need to configure Bastille in a DMZ, with allow the ports 443/tcp (incoming), 22/tcp (incoming), 5555/tcp (incoming), 10000/tcp (incoming), 80/tcp (incoming), 20/tcp (outcoming), 21/tcp (outcoming), 53/tcp (outcoming), 2984/tcp (incoming), 2985/udp (incoming) and 514/udp (outcoming)....

Anyone can I help to configure bastille??

When I try to configure bastille manually in a text interface, appear a Error associated with "Curses.pm".

Where I can ger this library??

Thanks in advanced...

Francisco
0 Kudos
Reply
Biswajit Tripathy
Honored Contributor

‎03-18-2005 09:19 AM

‎03-18-2005 09:19 AM

Re: NIC and Bastille problem

Francisco wrote:
> ..with allow the ports 443/tcp (incoming), 22/tcp
> (incoming), 5555/tcp (incoming), 10000/tcp
> (incoming), 80/tcp (incoming), 20/tcp
> (outcoming), 21/tcp (outcoming), 53/tcp
> (outcoming), 2984/tcp (incoming), 2985/udp
> (incoming) and 514/udp (outcoming)....

Add following rules at the TOP of
/etc/opf/ipf/ipf.conf file:

pass in quick proto tcp from any to any port = 443 flags S keep state keep frags
pass in quick proto tcp from any to any port = 22 flags S keep state keep frags
pass in quick proto tcp from any to any port = 5555 flags S keep state keep frags
pass in quick proto tcp from any to any port = 10000 flags S keep state keep frags
pass in quick proto tcp from any to any port = 80 flags S keep state keep frags
pass out quick proto tcp from any to any port = 20 flags S keep state keep frags
pass out quick proto tcp from any to any port = 21 flags S keep state keep frags
pass out quick proto tcp from any to any port = 53 flags S keep state keep frags
pass in quick proto tcp from any to any port = 2984 flags S keep state keep frags
pass in quick proto udp from any to any port = 2985
pass out quick proto udp from any port = 2985 to any
pass out quick proto udp from any to any port = 514
pass in quick proto udp from any port = 514 to any

WARNING : Test before use. Understand each rule
and make sure that's what you want to do. I have
not tried them, so there might be syntax errors in
them. Each rule should be in one line.

- Biswajit
:-)
0 Kudos
Reply
Biswajit Tripathy
Honored Contributor

‎03-18-2005 09:26 AM

‎03-18-2005 09:26 AM

Re: NIC and Bastille problem

One more thing.
After you add the above rules to /etc/opt/ipf/ipf.conf
file, reload the IPFilter configuration by executing
following command:

# /sbin/ipf -Fa -f /etc/opt/ipf/ipf.conf

- Biswajit
:-)
0 Kudos
Reply
Robert Fritz
Regular Advisor

‎03-21-2005 04:43 AM

‎03-21-2005 04:43 AM

Re: NIC and Bastille problem

Hi Fransico, I'm sorry you're having trouble.

The best description of the DMZ level is found here:
http://www.docs.hp.com/en/5990-6728/index.html

The ManDMZ level blocks all incoming except for a few protocols, as you saw in your ipfstat -ioh output. If you'd like a level that doesn't block traffic, that's the "host" level.

Re: Curses interface. That is only supported on Linux, not HP-UX. That's why you won't find the library. Bastille uses the X11 GUI, though you can create a configuration on a separate host if you don't can't run an x-window from the locked down system(with --os ) See bastille(1m) for details. The resulting configuration goes to /etc/opt/sec_mgmt/bastille/config That can be copied to the target system. This off-host configuration is rarely necessary for single-system configuration as ssh tunnels x-traffic quite nicely.

Biswajit gave a great rundown on how to add the ports you want to ipfilter. I'd add those to: /etc/opt/sec_mgmt/bastille/ipf.customrules, since that's the file bastille uses to add custom rules to ipfilter's configuration file. That way your ipf.conf changes won't get overwritten the next time you run bastille -b.

As you'd mentioned MANDMZ blocks most inbound ports. I *would* expect you to be able to ssh *from* the locked-down system in all cases.

The one behavior you mentioned that did surprise me was you'd said you can't log in with ssh.

Assuming for the moment that ipfilter and your ssh are running fine, here are the MANDMZ settings that might prevent login (or ftp), depending on security issues present on your system:

# Q: Do not allow logins unless the home directory exists
# Q: Should non-root users be disallowed from logging in if /etc/nologin exists?
# Q: Would you like to disallow ftpd system account logins?

Note that to remove Bastille's configuration automatically, use bastille -r. You can then reapply a configuration or create a custom one. To avoid confusion, we made sure Bastille only tightened a system when "-r" isn't used.

Hope that helped,
-Robert
Those Who Would Sacrifice Liberty for Security Deserve Neither." - Benjamin Franklin
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.