[prev in list] [next in list] [prev in thread] [next in thread] 

List:       ipfilter
Subject:    Re: rdr problem, ipf 3.4.35
From:       Hans Werner Strube <strube () physik3 ! gwdg ! de>
Date:       2006-10-05 13:45:07
Message-ID: 200610051345.PAA02441 () r2d2 ! physik3 ! gwdg ! de
[Download RAW message or body]

Hans Werner Strube wrote:
> We have an ipfilter-3.4.35 firewall on a SunFire V210 under Solaris 9 9/04
> (compiled on this system),
>   intranet - [bge0 IPF bge1] - internet.
> In order to prevent SSH attacks from the internet without changing the SSH
> port on all internal machines, we redirect port 22 to 22222 (blocked by ipf)
> and only allow a nonstandard port P redirected to 22 by the ipnat rules
> 
> rdr bge1 intranet/24 port 22 -> 0 port 22222 tcp
> rdr bge1 intranet/24 port P -> 0 port 22 tcp
> 
> Now, when TCP connections (specifially, NFS) are made from the intranet
> to an external server and the source port happens to be P, the response
> (AS and A packets) from the server is redirected to port 22 and thus blocked,
> since this port has not been opened by a previous S packet from the intranet
> (even if it were open, it would not reach the original client port).
> This redirection is visible with ipnat -l:
> RDR intern_client    22    <- -> intern_client    P  [extern_server 2049]
> As I understand rdr, such a redirection should only happen if the connection
> was initiated from the internet by an S packet to port P, not by a reply
> AS packet.

As there has been no reply, I should probably add information about the
ipf.conf rules, as far as relevant for this case:

block in log quick on bge1 all head 100
block out log quick on bge1 all head 150
block in log quick on bge0 all head 200
block out log quick on bge0 all head 250
# From internet: allow ssh (after rdr from port P to 22)
pass in quick proto tcp from any to !FIREWALL/31 port = 22 flags S keep state group 100
# From intranet: allow everything (with exceptions, omitted here)
pass in quick proto tcp from any to !FIREWALL/31 flags S keep state group 200
[prev in list] [next in list] [prev in thread] [next in thread]