[prev in list] [next in list] [prev in thread] [next in thread]
List: ipfilter
Subject: don't see where I miss it ...
From: Karoly VEGH <karoly.vegh () eunet ! co ! at>
Date: 2005-12-02 13:19:01
Message-ID: 20051202131901.GA29729 () eunet ! co ! at
[Download RAW message or body]
Hello, I don't get it where the mistake is:
root@tomcat01:~# ipfstat -io
[...]
block in log all
pass in quick on hme0 from any to any
pass in log quick on hme1 proto tcp from any to 192.174.180.106/32 port = 80 keep state
pass in log quick on hme1 proto tcp from any to 192.174.180.106/32 port = 443 keep state
block in log quick on hme1 proto tcp from any to 192.174.180.106/32 port = 8080
block in log quick on hme1 proto tcp from 195.170.92.1/32 to 192.174.180.106/32 port = 8080
root@tomcat01:~# ifconfig -a
lo0: flags=2001000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4,VIRTUAL> mtu 8232 index 1
inet 127.0.0.1 netmask ff000000
hme0: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 2
inet 172.27.0.101 netmask ffff0000 broadcast 172.27.255.255
ether 8:0:20:d9:e6:80
hme1: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 3
inet 192.174.180.106 netmask ffffff00 broadcast 193.154.180.255
ether 8:0:20:d9:e6:81
root@tomcat01:~# netstat -an | grep 8080
*.8080 *.* 0 0 49152 0 LISTEN
192.174.180.106.8080 195.170.92.1.10928 21804 0 49248 0 ESTABLISHED
192.174.180.106.8080 195.170.92.1.10960 18920 0 49248 0 ESTABLISHED
root@tomcat01:~#
Why can I connect to port 8080 when I explicitly wanted to block it?
I just want to have port 443 and port 80 to be reachable, and although I need to
have a service running on port 8080, I want that just the box itself can reach it
(doing proxy).
default infos:
root@tomcat01:~# uname -a
SunOS tomcat01 5.10 Generic_118822-11 sun4u sparc SUNW,UltraSPARC-IIi-cEngine
root@tomcat01:~# isainfo -vk
64-bit sparcv9 kernel modules
root@tomcat01:~# netstat -rn
Routing Table: IPv4
Destination Gateway Flags Ref Use Interface
-------------------- -------------------- ----- ----- ------ ---------
193.154.180.0 192.174.180.106 U 1 1 hme1
172.27.0.0 172.27.0.101 U 1 1 hme0
224.0.0.0 172.27.0.101 U 1 0 hme0
default 193.154.180.28 UG 1 3
127.0.0.1 127.0.0.1 UH 1 7 lo0
root@tomcat01:~# netstat -i
Name Mtu Net/Dest Address Ipkts Ierrs Opkts Oerrs Collis Queue
lo0 8232 loopback localhost 65 0 65 0 0 0
hme0 1500 tomcat01 tomcat01 14235 0 39 0 0 0
hme1 1500 tomcat01.serv.eunet.com tomcat01.serv.eunet.com 32786 0 43 0 0 0
root@tomcat01:~# netstat -s -P ip
IPv4 ipForwarding = 2 ipDefaultTTL = 255
ipInReceives = 1244 ipInHdrErrors = 0
ipInAddrErrors = 0 ipInCksumErrs = 0
ipForwDatagrams = 0 ipForwProhibits = 0
ipInUnknownProtos = 0 ipInDiscards = 0
ipInDelivers = 80 ipOutRequests = 56
ipOutDiscards = 0 ipOutNoRoutes = 0
ipReasmTimeout = 60 ipReasmReqds = 0
ipReasmOKs = 0 ipReasmFails = 0
ipReasmDuplicates = 0 ipReasmPartDups = 0
ipFragOKs = 0 ipFragFails = 0
ipFragCreates = 0 ipRoutingDiscards = 0
tcpInErrs = 0 udpNoPorts = 492
udpInCksumErrs = 0 udpInOverflows = 0
rawipInOverflows = 0 ipsecInSucceeded = 0
ipsecInFailed = 0 ipInIPv6 = 0
ipOutIPv6 = 0 ipOutSwitchIPv6 = 0
root@tomcat01:~#
root@tomcat01:~# ipf -V
ipf: IP Filter: v4.0.2 (592)
Kernel: IP Filter: v4.0.2
Running: yes
Log Flags: 0 = none set
Default: pass all, Logging: available
Active list: 0
root@tomcat01:~# ipfstat
bad packets: in 0 out 0
input packets: blocked 0 passed 0 nomatch 0 counted 0 short 0
output packets: blocked 0 passed 0 nomatch 0 counted 0 short 0
input packets logged: blocked 0 passed 0
output packets logged: blocked 0 passed 0
packets logged: input 0 output 0
log failures: input 0 output 0
fragment state(in): kept 0 lost 0
fragment state(out): kept 0 lost 0
packet state(in): kept 0 lost 0
packet state(out): kept 0 lost 0
ICMP replies: 0 TCP RSTs sent: 0
Invalid source(in): 0
Result cache hits(in): 0 (out): 0
IN Pullups succeeded: 0 failed: 0
OUT Pullups succeeded: 0 failed: 0
Fastroute successes: 0 failures: 0
TCP cksum fails(in): 0 (out): 0
IPF Ticks: 2593
Packet log flags set: (0)
none
root@tomcat01:~# ipfstat -io
block out quick on hme1 from any to 192.168.0.0/16
block out quick on hme1 from any to 172.16.0.0/12
block out quick on hme1 from any to 10.0.0.0/8
block out quick on hme1 from any to 0.0.0.0/8
block out quick on hme1 from any to 127.0.0.0/8
block out quick on hme1 from any to 169.254.0.0/16
block out quick on hme1 from any to 192.0.2.0/24
block out quick on hme1 from any to 204.152.64.0/23
block out quick on hme1 from any to 224.0.0.0/4
block in quick on hme1 from 192.168.0.0/16 to any
block in quick on hme1 from 172.16.0.0/12 to any
block in quick on hme1 from 10.0.0.0/8 to any
block in quick on hme1 from 127.0.0.0/8 to any
block in quick on hme1 from 0.0.0.0/8 to any
block in quick on hme1 from 169.254.0.0/16 to any
block in quick on hme1 from 192.0.2.0/24 to any
block in quick on hme1 from 204.152.64.0/23 to any
block in quick on hme1 from 224.0.0.0/3 to any
block in log all
pass in quick on hme0 from any to any
pass in log quick on hme1 proto tcp from any to 192.174.180.106/32 port = 80 keep state
pass in log quick on hme1 proto tcp from any to 192.174.180.106/32 port = 443 keep state
block in log quick on hme1 proto tcp from any to 192.174.180.106/32 port = 8080
block in log quick on hme1 proto tcp from 195.170.92.1/32 to 192.174.180.106/32 port = 8080
root@tomcat01:~#
root@tomcat01:~# ipnat -slv
mapped in 0 out 0
added 0 expired 0
no memory 0 bad nat 0
inuse 0
rules 0
wilds 0
table ffffffff7ffffb60 list 0
List of active MAP/Redirect filters:
List of active sessions:
List of active host mappings:
root@tomcat01:~#
any help is appreciated,
charlie
--
Végh Károly - EUnet Telekom GmbH - Team Systems
Nussdorfer Lände 23, A-1190 Wien, Vienna, Austria
http://www.eunet.at Tel: +43 (0) 591590 / Fax: +43 (0) 591593001
see Disclaimer http://www.eunet.at/signatur/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic