Greetings list! I'vs got a strange problem with my new FreeBSD box.. I've just installed IPFilter and recompiled the kernel to 4.9PRERELEASE.. (I compiled with options: IPFILTER, IPFILTER_LOG, IPFILTER_BLOCK_DEFAULT (IPFILTER_DEFAULT_BLOCK??) My problem is when I'm scanning the FreeBSD box with nmap (from a WinXP machine), I get rapports about ports that's open: (The 1647 ports scanned but not shown below are in state: filtered) PORT STATE SERVICE 25/tcp open smtp 80/tcp open http 81/tcp open hosts2-ns 82/tcp open xfer 83/tcp open mit-ml-dev 110/tcp open pop-3 119/tcp open nntp 1080/tcp open socks 5190/tcp open aol 8080/tcp open http-proxy My /etv/ipf.rules looks like this: block in all pass in quick on lo0 all pass out quick on lo0 all Here's my pkg_info too: apache+mod_ssl-1.3.28+2.8.15_1 bash-2.05b.007 cvsup-without-gui-16.1h expat-1.95.6_1 gettext-0.12.1 gmake-3.80_1 gnuls-4.1 libgnugetopt-1.2 libiconv-1.9.1_1 libtool-1.3.5_1 lynx-ssl-2.8.4.1d mm-1.3.0 nmap-3.30 noip-1.6 pcre-4.3 pkgconfig-0.15.0 portupgrade-20030723 postfix-2.0.15,1 postgresql-7.3.4_1 proftpd-1.2.8 ruby-1.6.8.2003.04.19 ruby-bdb1-0.2.1 ruby-rdoc-0.0.0.b2 ruby-shim-ruby18-1.8.0.p2.2003.04.19_1 vim-lite-6.2.72 regards Toan _________________________________________________________________ Last ned nye MSN Messenger 6.0 gratis http://www.msn.no/computing/messenger - Den raskeste veien mellom deg og dine venner
On Monday 22 September 2003 01:12 pm, Toan Hoang wrote:> Greetings list! > > I'vs got a strange problem with my new FreeBSD box.. > > I've just installed IPFilter and recompiled the kernel to > 4.9PRERELEASE.. (I compiled with options: IPFILTER, IPFILTER_LOG, > IPFILTER_BLOCK_DEFAULT (IPFILTER_DEFAULT_BLOCK??)It's IPFILTER_DEFAULT_BLOCK. less /usr/src/sys/i386/conf/LINT | grep IPFILTER That will list out the kernel options with IPFILTER in the line.> My problem is when I'm scanning the FreeBSD box with nmap (from a > WinXP machine), I get rapports about ports that's open: > > (The 1647 ports scanned but not shown below are in state: filtered) > PORT STATE SERVICE > 25/tcp open smtp > 80/tcp open http > 81/tcp open hosts2-ns > 82/tcp open xfer > 83/tcp open mit-ml-dev > 110/tcp open pop-3 > 119/tcp open nntp > 1080/tcp open socks > 5190/tcp open aol > 8080/tcp open http-proxy > > My /etv/ipf.rules looks like this: > > block in all > pass in quick on lo0 all > pass out quick on lo0 allUnless the box will not connect with anything, you'll want to at the very least add pass out all on dc0 keep state So you can connect to outside stuff. Replace dc0 with your ethernet interface. You didn't mention rc.conf ipfilter_enable="YES" ipmon_enable="YES" at the very least. You might look at the other ipf options in /etc/defaults/rc.conf. -Mark
>From: Mark Woodson <mwoodson@sricrm.com> >But you had IPFILTER_BLOCK_DEFAULT listed, so you'll need to replace >it with IPFILTER_DEFAULT_BLOCK and recompile.all done, just typing error since i'm using the windows machine to write email>If you don't have another box sitting behind that box (it's not a >gateway machine) then you do not need ipnat_enable. There's no point >in doing network address translation for a single box.removed ipnat_enable for now (this gonna be a gateway/server box)>Yes. You had the wrong configuration bit in your kernel.Actually not, I just typed wrong>A question I should have asked. You compiled and installed your >kernel correct? Rebooted after that?Copied GENERIC to my own. did /usr/sbin/config -g FIREWALL cd ../../compile/FIREWALL make depend make make install is that correct? I've updated then from 4.8-STABLE to 4.9PRERELEASE>To see the rules that are currently loaded for the input side: >ipfstat -iblock in quick on fxp0 from 0.0.0.0/32 to any block in quick on fxp0 from 255.255.255.255/32 to any block in quick on fxp0 from 127.0.0.0/8 to any block in quick on fxp0 from 192.168.0.0/16 to any block in quick on fxp0 from 172.16.0.0/12 to any block in quick on fxp0 from 10.0.0.0/8 to any block in on fxp0 proto tcp from any to any flags S/SA block in from any to any pass in quick on fxp0 proto tcp from any to any port = 80 flags S/SA keep state pass in quick on fxp0 proto udp from x.x.x.x/32 to any port = 68 keep state block return-rst in log quick on fxp0 proto tcp from any to any block return-icmp-as-dest(port-unr) in log quick on fxp0 proto udp from any to any block in log quick on fxp0 from any to any block in quick on dc0 from any to any pass in quick on lo0 from any to any>For the output side >ipfstat -oblock out on fxp0 proto tcp from any to any flags SA/SA pass out quick on fxp0 proto tcp from any to any keep state pass out quick on fxp0 proto udp from any to any keep state pass out quick on fxp0 proto icmp from any to any keep state block out quick on fxp0 from any to any block out quick on dc0 from any to any pass out quick on lo0 from any to any with nmap -v -sS [ip] I get (The 1656 ports scanned but not shown below are in state: closed) PORT STATE SERVICE 80/tcp open http Nmap run completed -- 1 IP address (1 host up) scanned in 1.781 seconds with nmap -v -sT [ip] I get (The 1647 ports scanned but not shown below are in state: filtered) PORT STATE SERVICE 25/tcp open smtp 80/tcp open http 81/tcp open hosts2-ns 82/tcp open xfer 83/tcp open mit-ml-dev 110/tcp open pop-3 119/tcp open nntp 1080/tcp open socks 5190/tcp open aol 8080/tcp open http-proxy Nmap run completed -- 1 IP address (1 host up) scanned in 430.313 seconds any ideas?? regards Toan _________________________________________________________________ Hotmail snakker ditt språk! http://www.hotmail.msn.com/cgi-bin/sbox?rru=dasp/lang.asp - Få Hotmail på norsk i dag
>From: Mark Woodson <mwoodson@sricrm.com> >It's IPFILTER_DEFAULT_BLOCK. > >less /usr/src/sys/i386/conf/LINT | grep IPFILTER > >That will list out the kernel options with IPFILTER in the line.Yes, seems ok there...>Unless the box will not connect with anything, you'll want to at the >very least add > >pass out all on dc0 keep stateadded that line, and changed to fxp0 and added pass in quick on fxp0 proto udp from x.x.x.x/32 to any prot = 38 keep state> >You didn't mention rc.conf > >ipfilter_enable="YES" >ipmon_enable="YES"yes, got that enabled and also got: ipmon_flags="-Dsvn" ipnat_enable=YES" But does anybody know why I got reported that som many ports is open when I scan my FreeBSD with Nmap????? Toan _________________________________________________________________ Last ned nye MSN Messenger 6.0 gratis http://www.msn.no/computing/messenger - Den korteste veien mellom deg og dine venner