From: Aaron Taylor (kusoneko@gmail.com)
Date: Mon Oct 03 2005 - 14:27:57 EDT
Hi guys,
I've got a problem where the firewall on a Solaris 10 machine doesn't load
the ruleset on bootup. However, you can load it manually and it works fine
until the next reboot. I'm not sure what I'm doing wrong.
>From a freshly booted system:
>>>>>>>>>>>>>>>
Sun Microsystems Inc. SunOS 5.10 Generic January 2005
-bash-3.00# uptime
11:23am up 11 min(s), 1 user, load average: 0.01, 0.03, 0.04
-bash-3.00# svcs -xv pfil
svc:/network/pfil:default (packet filter)
State: online since Mon Oct 03 11:12:59 2005
See: man -M /usr/share/man -s 5 ipfilter
See: /etc/svc/volatile/network-pfil:default.log
Impact: None.
-bash-3.00# ipfstat -i
empty list for ipfilter(in)
-bash-3.00# ipfstat -o
empty list for ipfilter(out)
-bash-3.00# ipf -Fa
-bash-3.00# ipf -f /etc/ipf/ipf.conf
-bash-3.00# ipfstat -i
block in log quick from any to any with short
block in log from any to any with ipopts
pass in quick on lo0 all
block in on hme0 all
pass in log quick on hme0 proto tcp from any to any port = ssh
-bash-3.00# ipfstat -o
pass out quick on lo0 all
block out on hme0 all
pass out quick on hme0 proto icmp from any to any keep state
pass out quick on hme0 proto tcp/udp from any to any keep state
>>>>>>>>>>>>>>>
An nmap scan from before and after:
>>>>>>>>>>>>>>>
web0 root # nmap -sS -P0 192.168.0.233 <http://192.168.0.233>
Starting nmap 3.55 ( http://www.insecure.org/nmap/ ) at 2005-10-03 11:25 PDT
Interesting ports on 192.168.0.233 <http://192.168.0.233>:
(The 1643 ports scanned but not shown below are in state: closed)
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
23/tcp open telnet
25/tcp open smtp
79/tcp open finger
111/tcp open rpcbind
513/tcp open login
514/tcp open shell
587/tcp open submission
4045/tcp open lockd
32774/tcp open sometimes-rpc11
32775/tcp open sometimes-rpc13
32776/tcp open sometimes-rpc15
32777/tcp open sometimes-rpc17
32778/tcp open sometimes-rpc19
32779/tcp open sometimes-rpc21
32780/tcp open sometimes-rpc23
MAC Address: 08:00:20:BF:25:37 (SUN Microsystems)
Nmap run completed -- 1 IP address (1 host up) scanned in 52.763 seconds
web0 root # nmap -sS -P0 192.168.0.233 <http://192.168.0.233>
Starting nmap 3.55 ( http://www.insecure.org/nmap/ ) at 2005-10-03 11:27 PDT
Interesting ports on 192.168.0.233 <http://192.168.0.233>:
(The 1659 ports scanned but not shown below are in state: filtered)
PORT STATE SERVICE
22/tcp open ssh
MAC Address: 08:00:20:BF:25:37 (SUN Microsystems)
Nmap run completed -- 1 IP address (1 host up) scanned in 106.679 seconds
>>>>>>>>>>>>>>>
My ipf.conf file:
>>>>>>>>>>>>>>>
-bash-3.00# more /etc/ipf/ipf.conf
#
# ipf.conf
#
# IP Filter rules to be loaded during startup
#
# See ipf(4) manpage for more information on
# IP Filter rules syntax.
#
# Changelog
# 09/29/05 - Initial Firewall - Aaron Taylor
#
# Block packets which are too short to be real
block in log quick all with short
#
# Drop and log any IP packets with options set in them
block in log all with ipopts
#
# Allow all traffic on loopback
pass in quick on lo0 all
pass out quick on lo0 all
#
# Block everything on the public network not explicitly allowed
block in on hme0 all
block out on hme0 all
#
# Allow pings out
pass out quick on hme0 proto icmp all keep state
#
# Allow outbound state related packets
pass out quick on hme0 proto tcp/udp from any to any keep state
#
# allow ssh from anywhere
pass in log quick on hme0 proto tcp from any to any port = 22
>>>>>>>>>>>>>>>
I am only using the hme interface at the moment. Two qfe cards are
installed, but not plumbed or in use. My /etc/ipf/pfil.ap file:
>>>>>>>>>>>>>>>
-bash-3.00# more /etc/ipf/pfil.ap
# IP Filter pfil autopush setup
#
# See autopush(1M) manpage for more information.
#
# Format of the entries in this file is:
#
#major minor lastminor modules
#le -1 0 pfil
#qe -1 0 pfil
hme -1 0 pfil
#qfe -1 0 pfil
#eri -1 0 pfil
#ce -1 0 pfil
#bge -1 0 pfil
#be -1 0 pfil
#vge -1 0 pfil
#ge -1 0 pfil
#nf -1 0 pfil
#fa -1 0 pfil
#ci -1 0 pfil
#el -1 0 pfil
#ipdptp -1 0 pfil
#lane -1 0 pfil
#dmfe -1 0 pfil
>>>>>>>>>>>>>>>
Anyone got any ideas why this is happening? Google hasn't turned up anything
that I could find.
-- Thanks, -Aaron Taylor _______________________________________________ sunmanagers mailing list sunmanagers@sunmanagers.org http://www.sunmanagers.org/mailman/listinfo/sunmanagers
This archive was generated by hypermail 2.1.7 : Wed Apr 09 2008 - 23:32:07 EDT