Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > FreeBSD Security> 1999-q3

FreeBSD Security Archives: ipfw passing packets past deny rule?

ipfw passing packets past deny rule?

Dean (deanthegrid.net)
Sat, 11 Sep 1999 01:13:05 -0700

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Next message: Markus Holmberg: "Re: ipfw passing packets past deny rule?"
Previous message: Warner Losh: "Re: Concerning Latest FTPD exploit: FreeBSD Security Advisory: FreeBS D-SA-99:03.ftpd"
Next in thread: Markus Holmberg: "Re: ipfw passing packets past deny rule?"
Reply: Markus Holmberg: "Re: ipfw passing packets past deny rule?"

Hello. I am running ipfw/natd on a 486 75MHz.
wormhole:/home/king-> uname -a
FreeBSD wormhole 3.2-RELEASE FreeBSD 3.2-RELEASE #2: Fri Aug 20 19:54:03
GMT 1999 rootremus.denofslack.net:/usr/src/sys/compile/WORMHOLE i386

I've got a pretty simple ruleset. Today, I saw this in my security check:
wormhole denied packets:
> 10000 1113 84640 deny log ip from any to any
> 65535 1 328 deny ip from any to any

This looks to me like one 328 byte packet got by rule 10000. Is this the case?
My complete rulest is as follows:
00010 allow ip from any to any via lo0
00020 deny log ip from any to 127.0.0.0/8
00030 divert 8668 ip from any to any via ed0
00080 deny log ip from any to any ipopt ssrr,lsrr
00090 deny log ip from 10.0.0.0/8 to any in recv ed0
00100 allow tcp from any to any established
00200 allow ip from any to any via ed1
00300 allow ip from any to any via ed2
00400 allow ip from any to any out xmit ed0
00500 allow udp from any 53 to any 1024-65535 in recv ed0
00600 allow log tcp from any 1024-65535 to any 113 setup
00700 allow log tcp from any 1024-65535 to <my ip> 21 setup
00800 allow log tcp from any 1024-65535 to <my ip> 22 setup
00900 allow log tcp from any 1024-65535 to <my ip> 23 setup
01100 allow log tcp from any 20 to any 1024-65535 setup
01200 allow udp from 63.192.96.2 123 to <my ip> 123 in recv ed0
01300 allow udp from any 1024-65535 to 10.0.1.1 1024-65535
01400 allow icmp from any to any icmptype 0,3,4,11,12,14,16,18
01500 allow udp from any 53 to 10.0.1.1 137 in recv ed0
10000 deny log ip from any to any
65535 deny ip from any to any

Thank you for your help. If anyone sees any glaring holes in this, please
don't be shy.
-Dean
-------------------------------------------------------------------------------
Staccato signals of constant information.

To Unsubscribe: send mail to majordomoFreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

Next message: Markus Holmberg: "Re: ipfw passing packets past deny rule?"
Previous message: Warner Losh: "Re: Concerning Latest FTPD exploit: FreeBSD Security Advisory: FreeBS D-SA-99:03.ftpd"
Next in thread: Markus Holmberg: "Re: ipfw passing packets past deny rule?"
Reply: Markus Holmberg: "Re: ipfw passing packets past deny rule?"

This archive was generated by hypermail 2.0b3 on Sat Sep 11 1999 - 03:11:52 CDT