ipf stopped working on 5.3

John Fitzgerald jjfitzgerald at gmail.com
Wed Oct 26 10:01:21 PDT 2005 

Hi Ray,

Here's a cleaned up version of ipf.rules:

#--------------------------------------------------------------------------
# block nasty packets
#--------------------------------------------------------------------------
block in log quick all with short
block in log quick all with opt lsrr
block in log quick all with opt ssrr

#--------------------------------------------------------------------------
# loopback packets left alone
#--------------------------------------------------------------------------
pass in log quick on lo0 all
pass out log quick on lo0 all

#--------------------------------------------------------------------------
# 100 incoming bge0
# 150 outgoing bge0
#--------------------------------------------------------------------------
block in log on bge0 all head 10
block in log on bge0 all head 100
block out log on bge0 all head 150

#--------------------------------------------------------------------------
# allow all traffic to 80 and 443
#--------------------------------------------------------------------------
pass in log quick proto tcp from any to any port = 80 flags S/SA keep state
pass in log quick proto tcp from any to any port = 443 flags S/SA keep state

#--------------------------------------------------------------------------
# allow only traffic from known hosts to localhost:ssh
#--------------------------------------------------------------------------
pass in log quick proto tcp from MY_FIRST_HOST to any port = 22 flags S/SA
keep state
pass in log quick proto tcp from MY_SECOND_HOST to any port = 22 flags S/SA
keep state

#--------------------------------------------------------------------------
# allow outgoing keystrokes and syslog to logger
#--------------------------------------------------------------------------
pass out log quick proto udp from any to MY_LOGGER port = 514 group 150

#--------------------------------------------------------------------------
# block all other outgoing traffic
#--------------------------------------------------------------------------
block out log quick from any to any group 100

#--------------------------------------------------------------------------
# block all
#--------------------------------------------------------------------------
block in log quick on bge0 all

The group 10 is for my script to block ip's on the fly. I think someone from
the FreeBSD Diary wrote a script that I use when attacks come in. I suppose
I could use 100 for that, but I just used 10 to separate and I think that's
what the example used. Probably not the best ipf.rules but it (seemed) to
work.

JJ


On 10/26/05, ray at redshift.com <ray at redshift.com> wrote:
>
> At 01:32 PM 10/25/2005 -0400, John Fitzgerald wrote:
> | I've had ipf working on a few 5.3 servers for quite awhile. Not too long
> ago
> | some developers had to do some coding work and were coming from dynamic
> | IP's. I (reluctantly) opened up SSH to the world. Immediately I started
> | seeing the attacks where bots of some sort would try to break in with a
> | variety of different users.
> |
> | So, I (thought) I closed it up again and told the developers to use a
> | dedicated proxy. They did, but I realized that I hadn't actually closed
> | things off. I was still getting attacked. I had tried, but ipf suddenly
> | wasn't working. Whenever I would change the firewall rules and ipf -D
> and
> | the ipf -E -f /etc/my.rules it would simply return:
> |
> | 1:ioctl(add/insert rule): No such process
> |
> | I didn't have the time to look into it at the time, but am now trying to
> | figure it out. Ipf is obviously not working and I don't know why. I have
> | tried recompiling the kernel a myriad of different ways. With/without
> ipfw,
> | with/without ipsec, etc. All to no avail. Is this a bug, did I get
> hacked?
> |
> | I have googled this quite a bit and the only thing that I found was
> possibly
> | a buildworld scenario where something got updated and it doesn't work
> now. I
> | didn't install src so I'm a bit out of luck on that one.
> |
> | FreeBSD 5.3-RELEASE
> | OpenSSH_3.8.1p1 FreeBSD-20040419, OpenSSL 0.9.7d 17 Mar 2004
> |
>
> usually that means you are trying to run it without being root, or you
> have a
> rule that doesn't belong to a group/head.
>
> I ran into something else once that caused that, but now I can't remember
> it.
> Feel free to send your ipf.rules if it's not to sensitive.
>
> Ray
>
>

More information about the freebsd-security mailing list