'System crash with ipfilter??!'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       ipfilter
Subject:    System crash with ipfilter??!
From:       Sasha Romanosky <Sasha.Romanosky () TELUS ! COM>
Date:       1997-08-25 21:58:31
[Download RAW message or body]


Hi,

I've been testing out IP Filter 3.1.11 on two of our machines (Sun
Solaris 2.5.1, Sparc 4 and Ultra1)
and I've been quite impressed with the performance of the application. 

Recently, however, I was testing the configs for two machines and
loosening the
rules to allow NFS between the two. Things were going along wonderfully,
until,
when I started ipfboot, it halted and rebooted the sparc4. Thinking this
might be
unique to Sparc4, I stoped the filter on the Ultra 1 and restarted it.
It crashed, too!

I'm at a loss. Does anyone have any ideas???

Enclosed are the configs for the (NFS client, Sparc 4) and NFS server
(Ultra1)

CLIENT:
#
# block fragments
block in quick proto tcp all with short
# 
# WWW, SMTP, POP, NNTP
pass in quick on le0 proto tcp from any to any port = 80
pass in quick on le0 proto tcp from any to any port = 25
pass in quick on le0 proto tcp from any to any port = 110
pass in quick on le0 proto tcp from any to any port = 119
#
# SSH 
pass in quick on le0 proto tcp from 172.***.***..0/22 to any port = 22
pass in quick on le0 proto tcp from 207.***.***..0/24 to any port = 22
#pass in quick on le0 proto tcp from 205.***.***.0/23 to any port = 22
#
# FTP Server Control & Data
pass in quick on le0 proto tcp from 207.***.***..0/24 to any port 19 ><
22
pass in quick on le0 proto tcp from 172.***.***.0/22 to any port 19 ><
22
#
# NFS from ATOMBOB
pass in quick on le0 proto udp from atombob to any port 700 >< 900
#
# DNS, NTP, SNMP, Syslog
pass in quick on le0 proto tcp/udp from any to any port = 53
pass in quick on le0 proto tcp/udp from any to any port = 123
pass in quick on le0 proto udp from 207.***.***.0/24 to any port = 161
pass in quick on le0 proto udp from 172.***.***.*** to any port = 514
##
# This is to stop session establishments into this system
#
# block any attempted new tcp sessions (and allow sessions in progress -
try !!)
block return-icmp(3) in quick on le0 proto tcp from any to any flags
S/SA
pass in quick on le0 proto tcp from any to any
#
# allow return for all TCP sessions
pass out quick on le0 proto tcp from any to any
#
# allow return traffic for udp session and stop the rest
pass in quick on le0 proto udp from any to any port > 1023
block return-icmp(3) in quick on le0 proto udp all
#
# allow return for all UDP sessions
pass out quick on le0 proto udp all
#
# PING, TRACEROUTE
pass in quick on le0 proto icmp from any to any icmp-type echo
pass in quick on le0 proto icmp from any to any icmp-type echorep
block return-icmp(3) in quick on le0 proto icmp all
pass out quick on le0 proto icmp all
#
block return-icmp(3) in quick on le0 all



SERVER:

# Revision 1.24
#
# FOR NFS SERVER
#
# block fragments
#
block in quick proto tcp all with short
#
# WWW, SMTP, POP, NNTP
pass in quick on hme0 proto tcp from any to any port = 80
pass in quick on hme0 proto tcp from any to any port = 25
pass in quick on hme0 proto tcp from any to any port = 110
pass in quick on hme0 proto tcp from any to any port = 119
#
# SSH
pass in quick on hme0 proto tcp from 172.***.***..0/22 to any port = 22
pass in quick on hme0 proto tcp from 207.***.***.0/24 to any port = 22
pass in quick on hme0 proto tcp from 205.***.***..0/23 to any port = 22
#
# FTP Server Control & Data
pass in quick on hme0 proto tcp from 207.***.***..0/24 to any port 19 ><
22
pass in quick on hme0 proto tcp from 172.***.***..0/22 to any port 19 ><
22
#
# NFS on ATOMBOB
pass in quick on hme0 proto tcp/udp from 205.***.***..0/23 to any port =
2049
pass in quick on hme0 proto udp from 205.***.***..0/23 to any port = 111
pass in quick on hme0 proto tcp/udp from 172.***.***..0/22 to any port =
2049
pass in quick on hme0 proto udp from 172.***.***.0/22 to any port = 111
#
# DNS, NTP, SNMP, Syslog
pass in quick on hme0 proto tcp/udp from any to any port = 53
pass in quick on hme0 proto tcp/udp from any to any port = 123
pass in quick on hme0 proto udp from 207.***.***.0/24 to any port = 161
pass in quick on hme0 proto udp from 205.***.***.0/23 to any port = 514
pass in quick on hme0 proto udp from 172.***.***.0/22 to any port = 514
##
# This is to stop session establishments into this system
#
# block any attempted new tcp sessions (and allow sessions in progress -
try !!)
block return-icmp(3) in quick on hme0 proto tcp from any to any flags
S/SA
pass in quick on hme0 proto tcp from any to any
#
# allow return for all TCP sessions
pass out quick on hme0 proto tcp from any to any
#
# allow return traffic for udp session and stop the rest
pass in quick on hme0 proto udp from any to any port > 1023
block return-icmp(3) in quick on hme0 proto udp all
#
# allow return for all UDP sessions
pass out quick on hme0 proto udp all
#
# allow PING and Traceroute
#
pass in quick on hme0 proto icmp from any to any icmp-type echo
pass in quick on hme0 proto icmp from any to any icmp-type echorep
block return-icmp(3) in quick on hme0 proto icmp all
pass out quick on hme0 proto icmp all
#
block return-icmp(3) in quick on hme0 all
Sasha Romanosky
Digerati Literati
TELUS Advanced Communications
  sasha.romanosky@telus.com 403.543.2083
   PGP public key @ www.tac.telus.com/keys


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic