pfilter-users — pfilter users mailing list

[Pfilter-users] Re: [Oscar-users] Problem of Pfilter config. Help!

[Neil G. <ngo...@nc...>]

At 09:27 PM 10/25/2002 -0400, Weirong Zhu wrote:
>    I set
>===================================================
>    INTERNAL eth1   # inside network interface
>    FILTERED eth0   # outside
>
>    open tcp ssh
>===================================================

pfilter classifies interfaces two ways:

FILTERED or UNFILTERED
(any connection is allowed from UNFILTERED interfaces)

PROTECTED or UNPROTECTED
(PROTECTED interfaces get their outgoing connections Network Address 
Translated)
Depending on which version of pfilter you have, setting an interface as
INTERNAL may set the

Setting an interface as INTERNAL will always set it as PROTECTED.
But INTERNAL interfaces, depending on which version of pfilter is being
used may be set as FILTERED or UNFILTERED.

I would advise using something like this:

PROTECTED eth1       # inside network gets NAT style packet forwarding
UNFILTERED eth1       # inside network is allowed any connection to this 
machine
UNPROTECTED eth0   # outside network is not NATTED
FILTERED eth0            # outside network connections not allowed by default
open    ssh                   # allow ssh connection to this machine from 
anywhere
nologging                     # don't fill syslog up with packet rejection 
notices

or better yet, something like what OSCAR installs:

# define the main OSCAR server
%define oscar_server ia32.ncsa.uiuc.edu
# define the OSCAR compute nodes (this is updated when
# compute nodes are added or taken away)
%define nodes ia32c1 ia32c2 ia32c3 ia32c4
# We don't want future pfilter updates to merge commented out
# new types of configuration directives when pfilter is upgraded.
nomerge
# We don't trust anyone anywhere on any interface by default
untrusted  interfaces  all
# We don't want to fill up system log files with packet
# rejection messages
nologging
# Be nice and reject, rather than drop, unwanted packets
reject
# the server gets ssh and http opened up
open    tcp     ssh http https
# the server needs to be listed as a dhcp server for the nodes
# because opening up that service requires opening up some
# broadcast stuff as well, so simply listing the nodes as
# trusted is not sufficient
open    dhcp    on      eth1
# the server trusts itself and every compute node
trusted %oscar_server% %nodes%
open    multicast                        # for ganglia

>I found after pfilter start all packages are filtered out, except SSH.
> >From outside, other machines can not ping me, can not telnet, that's just
>what I want.
>However from inside, I also can not go outside, for example, I can not
>telnet to a outside telnet server. More important, I can not get NIS
>server's response, can not get NFS server's response. It closed all my
>network connection except SSH. That's not what I want.
>
>Has anybody met the same problem?
>Would you like to tell me how to properly configure the pfilter.
>
>
>Thanks a lot!
>
>
>
>
>
>
>-------------------------------------------------------
>This sf.net email is sponsored by: Influence the future
>of Java(TM) technology. Join the Java Community
>Process(SM) (JCP(SM)) program now.
>http://ads.sourceforge.net/cgi-bin/redirect.pl?sunm0004en
>_______________________________________________
>Oscar-users mailing list
>Osc...@li...
>https://lists.sourceforge.net/lists/listinfo/oscar-users

[Pfilter-users] Problem of Pfilter config. Help!

[Weirong Z. <we...@ma...>]

Dear all:

   As all we know, a firewall is very important for security.

   And pfilter is a firewall compiler shipped with OSCAR.

   I try to config pfilter to make it work for my cluster.

   I set
===================================================
   INTERNAL eth1   # inside network interface
   FILTERED eth0   # outside

   open tcp ssh
===================================================

I found after pfilter start all packages are filtered out, except SSH.
From outside, other machines can not ping me, can not telnet, that's just
what I want.
However from inside, I also can not go outside, for example, I can not
telnet to a outside telnet server. More important, I can not get NIS
server's response, can not get NFS server's response. It closed all my
network connection except SSH. That's not what I want.

Has anybody met the same problem?
Would you like to tell me how to properly configure the pfilter.


Thanks a lot!

[Pfilter-users] pfilter error

[Weirong Z. <we...@ma...>]

Now I use pfilter version pfilter-1.688-1
And my iptables'version is 1.2.6a.
my kernel is 2.4.18

When I run "pfilter start", I got below error
**********************************************************
/sbin/iptables is executable but not working yet.
Perhaps you need to rmmod ipchains and insmod iptables?
(pfilter will do this for you when it starts, so you can probably ignore
this)
iptables v1.2.6a: can't initialize iptables table `filter': iptables who?
(do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.
modprobe: Can't locate module ip_tables
iptables v1.2.6a: can't initialize iptables table `filter': iptables who?
(do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.
modprobe: Can't locate module ip_tables
iptables v1.2.6a: can't initialize iptables table `filter': iptables who?
(do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.
modprobe: Can't locate module ip_tables
iptables v1.2.6a: can't initialize iptables table `filter': iptables who?
(do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.
**********************************************************

I restart iptables by "chkconfig iptables on"
still get the same error.

I am not familiar with iptables and ipchains.

How should I do now? I just want to use pfilter to build a firewall.

Thanks a lot

[Pfilter-users] Re: pfilter

[Neil G. <ngo...@nc...>]

You could do content filtering of web accesses by doing
some fancy packet filtering, but it wouldn't work very well.
Packet filtering under 2.4 kernels now support matching
based on arbitrary string matches, but it would be kludgy
at best (Imagine having to drop all packets having to do
with barnyard or fairy tales that have "cock-a-doodle-doo"
because of the first 4 characters matching). It would also
be awkward to drop packets in the middle of a web
connection, the browser would just see a time-out.
I would suggest using either an annoying proxy, a plug-in
for windows computers, or turning on the ratings stuff
in internet explorer. Just remember that any kind of
filtering, will only work on a certain percentage of bad
sites (hard to interpret picture content), and will falsely
block some good sites. But that may be better than no
filtering, depending on what your audience and goals are.
Sorry I can't be more help.

At 09:00 PM 1/16/2002 -0600, you wrote:
>I'm kinda new to the whole iptables thing but I'm looking
>for a way to do content filtering on www pages on my
>firewall using ip masquerade.  I don't want an intrusive
>proxy server but I would like to filter content and block
>sites which have potentially offensive content.  This
>server will operate at a school.
>
>Is pfilter something which can help me implement this and
>if so how?

[Pfilter-users] (no subject)

[Neil G. <ngo...@nc...>]

I just updated the older pfilter track to 0.93 for a simple fix to the 
broadcast packets kludge. The pfilter 2 is almost done, I pretty much 
finished it over the holidays and am now working out a few last minute bugs 
and doing some testing.  The new version which will be released sometime 
this week as an alpha test has these changes:

finished initial version of ruleset files content
finished beta version of pfilter 2 main program logic
added code to parse constants/defines from ruleset files
added code to parse macros from ruleset files
added code to parse ruleset files content
added code to write out pre-expanded source file
added code to expand constants/defines into output file
added code to expand macros into output file
added code to expand conditionally compilation into output file
added --noout command line option
added --source= command line option
added secret --nocond command line option
added secret --noconst command line option
added secret --nomacro command line option
added secret --noprefix command line option
added secret --nosuffix command line option
changed module files to included files
split included files in to more included files
added new configuration file syntacx capability:
         to/from on open/close
         allowed interface commands to accept ALL as interface name

[Pfilter-users] pfilter config

[Neil G. <ngo...@nc...>]

This is what I put in on a four node cluster here, on each of the machines 
for the /etc/pfilter.conf file.  Also included is the latest pfilter rpm.

Re: [Pfilter-users] smb problem?

[Neil G. <nj...@pd...>]

At 09:26 AM 10/17/2001 -0400, nb...@fr... wrote:
>I'm testing pfilter-0.82 on a RH7.1 box (RH kernel 2.4.3).
>I have
>OPENSMB #everything
>I see this in the log:
>Oct 17 09:20:42 adglinux1 kernel: external packet REJECTED:IN=eth0
>OUT= MAC=00:10:4b:6a:20:f3:00:30:7b:92:bb:dc:08:00 SRC=139.85.52.102
>DST=139.85.108.152 LEN=106 TOS=0x00 PREC=0x00 TTL=254 ID=30165 DF
>PROTO=ICMP TYPE=3 CODE=3 [SRC=139.85.108.152 DST=139.85.52.102 LEN=78
>TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=UDP SPT=137 DPT=137 LEN=58 ]

I have never seen a doubled up message like that in the log files. I can 
only assume that the icmp type 3 (which is an destination unreachable reply 
error packet) was sent in response to the udp 137 packet which is a netbios 
packet. Please send me your pfilter.conf file and the output of the 
ifconfig command.  I honestly can't figure out why the packet should be 
rejected. A test I ran here looked like the proper iptables commands were 
being generated for an OPENSMB directive.

>Since the port 137 is netbios/ns, does this indicate that OPENSMB
>isn't working correctly?  I don't know how to read the above message.
>First it says PROTO=ICMP, then it says PROTO=UDP, I don't know what
>that means.

Re: [Pfilter-users] OPENX works?

[Neil G. <nj...@pd...>]

You're right, there is a bug there. For now, just put:
OPEN    tcp     6000:6009
in instead of:
OPENX

At 12:09 PM 10/17/2001 -0400, nb...@fr... wrote:
>I put OPENX in (no SOURCES), but it doesn't seem to work.  I don't see
>anything in pfilter.cmds that seems to pertain to X, and a connection
>to 6000 was rejected.  Running with -d says
>
>/usr/sbin/pfilter.pl: parsing configuration line OPENX<
>/usr/sbin/pfilter.pl: adding to openx_sources ><

Re: [Pfilter-users] A couple of questions

[Neil G. <nj...@pd...>]

At 09:39 AM 10/17/2001 -0400, nb...@fr... wrote:
>Questino #1:
>Do I need both udp and tcp entries for these protos?  Right now I
>have:
>OPEN tcp 
>ssh,telnet,smtp,ftp,auth,http,https,domain,ntp,amanda,amandaidx,amidxtape
>OPEN udp ssh,telnet,smtp,ftp,ntp,auth,http,https,domain,amanda

Technically, almost every one of those is supposed to respond to both tcp 
and udp.
But in reality, the following probably only need tcp: ssh, ftp, http, 
https, ntp. What you
put in the OPEN is only for the first packet, all subsequent packets in a 
conversation/connection come through because pfilter enables connection 
tracking and puts in a rule to allow "related" packets through.  I believe 
domain is udp only. Just take off whatever looks ok and if it breaks it, 
re-enable it.

>Question #2:
>I am using NTP multicast 224.0.1.1.  How do I open that?

I put a special hook into the current version just for that.  If you put an 
allowable source address of 0.0.0.0 for anything that is to be opened up, 
such as ntp, it puts in a special rule that lets all multicast packets 
coming from 0.0.0.0 to come in even though they are not addresses to the 
specific host address. So if you are expecting ntp time sync packets,
try putting in:

OPEN    tcp ntp 0.0.0.0

In the new version of pfilter I'll put in a global or interface wide 
multicast allowed flag that equates multicast packets to be the same as 
packets coming in from an unknown address, plus a special source address of 
"multicast".

[Pfilter-users] Re: [Oscar-devel] oscar with private networks

[Neil G. <ngo...@nc...>]

At 09:35 AM 10/17/2001 -0400, you wrote:
>Thanks for the pointer to pfilter.  I'm testing it now.  So far I find
>it much easier than the other firewall packages I've looked at.

You might want to join the pfilter-users and/or pfilter-announce mailing
lists on sourceforge.  pfilter version 2 is nearing completion, and includes
conditional macro support which means the user can define services including
oddball script fragments needed to unblock or block services.  Also a gui
will be included. If you have any ideas about what we can improve, please
email or phone me.

217-244-0424

[Pfilter-users] OPENX works?

[<nb...@fr...>]

I put OPENX in (no SOURCES), but it doesn't seem to work.  I don't see
anything in pfilter.cmds that seems to pertain to X, and a connection
to 6000 was rejected.  Running with -d says

/usr/sbin/pfilter.pl: parsing configuration line OPENX<
/usr/sbin/pfilter.pl: adding to openx_sources ><
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.0.4 (GNU/Linux)
Comment: Processed by Mailcrypt 3.5.6 and Gnu Privacy Guard <http://www.gnupg.org/>

mQGiBDZa9ZcRBACYGMoAmHIBUR19lDLZNJhgxGtqVchV7OiwniGIE0UpwRj08fDX
/KO7/cXgXDZqFEgHF98e6Gbm4efyyC7seP4Ye8Av3n8h8PMv307lQieJd5qQVvwx
vwJWGHsX1EOsv/Suzb2ZcYllU4dgrdBIkRLQ5tsJPiWtxjsfBsONGqWmIwCghmQA
GayzNTFUUy0JkGP8SEJRycED/0GvchcxrSnN0FDe5HqM2YzNOnQYGEasAgRSNoG7
O87uudA3j+Hh4GQSD7VgleYArCXqfaNd8pj+EY0ykGjcTJk07aAl+Ib8UrQ8eNk/
RON0+/ZRN6QGqte1lokR969AgVFDQaHV0IctElZdpRg+JbKUiBn3iYaY7xfYYr1z
M6l/A/4v7HkRTfoMsEae+vhuatmekXpV7rrcmhAjLdaUWbamNrkp7N6fnDMQcRjJ
DA/9VBV8qjokGu2PEj+HQGZb52y1+/S+wmUbKlS/EkYMME9gEDuUBFhHlC6xbYg1
akcddicTFhNHtwNQ9GFliIaJzU1Mt7LumB03/Cy0A9PouNUhv7QhTmVhbCBELiBC
ZWNrZXIgPG5iZWNrZXJAZnJlZC5uZXQ+iFcEExECABcFAjZa9ZcDCwQDBRUDAgYB
AxYCAQIXgAAKCRCtdGDCLVoO090GAJsFFd/nUF315R0Snt97iV39JP/OTQCeNAaU
5MsmAJHGFcXXj9AkMRoguzu5AQ0ENlr1pRAEAKpFYKuYC++L4RuzreeuKObO15SS
LXgUo0A/q9Hm3VFQw/FaWShBilVKjw6C7lUFnajx0uzy3EhczjitdcHewXyOH/9T
1WyqtiJG9CJTRgQkA1vDSgLBqLQ8so4saOF0bT/66iaiBE9Rbl1yRvjJh5lIULJr
BG2WhHfh/xWl2KS/AAMFBACQ/DrlJe9ooOQAuuUFK8P1A1t4zN5u9gvVMLhpxnr+
KYFa4+GdP3939lRTb7smtVxh9gote66kTmH776sqx7Sn8/Vsx5DOEKpikTlQ9IPR
mXu8Oe9skh+rJcOrjSOH7fSsYqqH7O1GArw0l82bBwA6Xz86vWfyHj/Slo0YXxey
QohGBBgRAgAGBQI2WvWlAAoJEK10YMItWg7TDiEAn3kIiU3z9lbtF4UexjL8zWIv
QszbAJ4om+wo1penO8/y9uI0UOgJQZUtJg==
=Q5Ab
-----END PGP PUBLIC KEY BLOCK-----

[Pfilter-users] A couple of questions

[<nb...@fr...>]

Questino #1:
Do I need both udp and tcp entries for these protos?  Right now I
have:

OPEN tcp ssh,telnet,smtp,ftp,auth,http,https,domain,ntp,amanda,amandaidx,amidxtape
OPEN udp ssh,telnet,smtp,ftp,ntp,auth,http,https,domain,amanda

Question #2:
I am using NTP multicast 224.0.1.1.  How do I open that?
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.0.4 (GNU/Linux)
Comment: Processed by Mailcrypt 3.5.6 and Gnu Privacy Guard <http://www.gnupg.org/>

mQGiBDZa9ZcRBACYGMoAmHIBUR19lDLZNJhgxGtqVchV7OiwniGIE0UpwRj08fDX
/KO7/cXgXDZqFEgHF98e6Gbm4efyyC7seP4Ye8Av3n8h8PMv307lQieJd5qQVvwx
vwJWGHsX1EOsv/Suzb2ZcYllU4dgrdBIkRLQ5tsJPiWtxjsfBsONGqWmIwCghmQA
GayzNTFUUy0JkGP8SEJRycED/0GvchcxrSnN0FDe5HqM2YzNOnQYGEasAgRSNoG7
O87uudA3j+Hh4GQSD7VgleYArCXqfaNd8pj+EY0ykGjcTJk07aAl+Ib8UrQ8eNk/
RON0+/ZRN6QGqte1lokR969AgVFDQaHV0IctElZdpRg+JbKUiBn3iYaY7xfYYr1z
M6l/A/4v7HkRTfoMsEae+vhuatmekXpV7rrcmhAjLdaUWbamNrkp7N6fnDMQcRjJ
DA/9VBV8qjokGu2PEj+HQGZb52y1+/S+wmUbKlS/EkYMME9gEDuUBFhHlC6xbYg1
akcddicTFhNHtwNQ9GFliIaJzU1Mt7LumB03/Cy0A9PouNUhv7QhTmVhbCBELiBC
ZWNrZXIgPG5iZWNrZXJAZnJlZC5uZXQ+iFcEExECABcFAjZa9ZcDCwQDBRUDAgYB
AxYCAQIXgAAKCRCtdGDCLVoO090GAJsFFd/nUF315R0Snt97iV39JP/OTQCeNAaU
5MsmAJHGFcXXj9AkMRoguzu5AQ0ENlr1pRAEAKpFYKuYC++L4RuzreeuKObO15SS
LXgUo0A/q9Hm3VFQw/FaWShBilVKjw6C7lUFnajx0uzy3EhczjitdcHewXyOH/9T
1WyqtiJG9CJTRgQkA1vDSgLBqLQ8so4saOF0bT/66iaiBE9Rbl1yRvjJh5lIULJr
BG2WhHfh/xWl2KS/AAMFBACQ/DrlJe9ooOQAuuUFK8P1A1t4zN5u9gvVMLhpxnr+
KYFa4+GdP3939lRTb7smtVxh9gote66kTmH776sqx7Sn8/Vsx5DOEKpikTlQ9IPR
mXu8Oe9skh+rJcOrjSOH7fSsYqqH7O1GArw0l82bBwA6Xz86vWfyHj/Slo0YXxey
QohGBBgRAgAGBQI2WvWlAAoJEK10YMItWg7TDiEAn3kIiU3z9lbtF4UexjL8zWIv
QszbAJ4om+wo1penO8/y9uI0UOgJQZUtJg==
=Q5Ab
-----END PGP PUBLIC KEY BLOCK-----

[Pfilter-users] smb problem?

[<nb...@fr...>]

I'm testing pfilter-0.82 on a RH7.1 box (RH kernel 2.4.3).

I have 

OPENSMB #everything

I see this in the log:

Oct 17 09:20:42 adglinux1 kernel: external packet REJECTED:IN=eth0
OUT= MAC=00:10:4b:6a:20:f3:00:30:7b:92:bb:dc:08:00 SRC=139.85.52.102
DST=139.85.108.152 LEN=106 TOS=0x00 PREC=0x00 TTL=254 ID=30165 DF
PROTO=ICMP TYPE=3 CODE=3 [SRC=139.85.108.152 DST=139.85.52.102 LEN=78
TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=UDP SPT=137 DPT=137 LEN=58 ] 

Since the port 137 is netbios/ns, does this indicate that OPENSMB
isn't working correctly?  I don't know how to read the above message.
First it says PROTO=ICMP, then it says PROTO=UDP, I don't know what
that means.
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.0.4 (GNU/Linux)
Comment: Processed by Mailcrypt 3.5.6 and Gnu Privacy Guard <http://www.gnupg.org/>

mQGiBDZa9ZcRBACYGMoAmHIBUR19lDLZNJhgxGtqVchV7OiwniGIE0UpwRj08fDX
/KO7/cXgXDZqFEgHF98e6Gbm4efyyC7seP4Ye8Av3n8h8PMv307lQieJd5qQVvwx
vwJWGHsX1EOsv/Suzb2ZcYllU4dgrdBIkRLQ5tsJPiWtxjsfBsONGqWmIwCghmQA
GayzNTFUUy0JkGP8SEJRycED/0GvchcxrSnN0FDe5HqM2YzNOnQYGEasAgRSNoG7
O87uudA3j+Hh4GQSD7VgleYArCXqfaNd8pj+EY0ykGjcTJk07aAl+Ib8UrQ8eNk/
RON0+/ZRN6QGqte1lokR969AgVFDQaHV0IctElZdpRg+JbKUiBn3iYaY7xfYYr1z
M6l/A/4v7HkRTfoMsEae+vhuatmekXpV7rrcmhAjLdaUWbamNrkp7N6fnDMQcRjJ
DA/9VBV8qjokGu2PEj+HQGZb52y1+/S+wmUbKlS/EkYMME9gEDuUBFhHlC6xbYg1
akcddicTFhNHtwNQ9GFliIaJzU1Mt7LumB03/Cy0A9PouNUhv7QhTmVhbCBELiBC
ZWNrZXIgPG5iZWNrZXJAZnJlZC5uZXQ+iFcEExECABcFAjZa9ZcDCwQDBRUDAgYB
AxYCAQIXgAAKCRCtdGDCLVoO090GAJsFFd/nUF315R0Snt97iV39JP/OTQCeNAaU
5MsmAJHGFcXXj9AkMRoguzu5AQ0ENlr1pRAEAKpFYKuYC++L4RuzreeuKObO15SS
LXgUo0A/q9Hm3VFQw/FaWShBilVKjw6C7lUFnajx0uzy3EhczjitdcHewXyOH/9T
1WyqtiJG9CJTRgQkA1vDSgLBqLQ8so4saOF0bT/66iaiBE9Rbl1yRvjJh5lIULJr
BG2WhHfh/xWl2KS/AAMFBACQ/DrlJe9ooOQAuuUFK8P1A1t4zN5u9gvVMLhpxnr+
KYFa4+GdP3939lRTb7smtVxh9gote66kTmH776sqx7Sn8/Vsx5DOEKpikTlQ9IPR
mXu8Oe9skh+rJcOrjSOH7fSsYqqH7O1GArw0l82bBwA6Xz86vWfyHj/Slo0YXxey
QohGBBgRAgAGBQI2WvWlAAoJEK10YMItWg7TDiEAn3kIiU3z9lbtF4UexjL8zWIv
QszbAJ4om+wo1penO8/y9uI0UOgJQZUtJg==
=Q5Ab
-----END PGP PUBLIC KEY BLOCK-----

[Pfilter-users] Re: found this amusing

[Neil G. <ngo...@nc...>]

At 06:27 PM 10/8/2001 -0600, you wrote:
>while playing with pfilter (I likes!) I did a google search for packet
>filter.  It returned this:
>--------------------------------------------------------------------------
>Sears has the filter you need!
>sears.com/partsdirect    Sears has 4.5 million parts for over 400 brands.
>--------------------------------------------------------------------------

Now if I could only convince Sears to give me a royalty.

>On another note, this isn't exactly a pfilter problem, my redhat 7.1
>box (I know, I know...) by default loads ipchains (rather than iptables).
>pfilter is smart enough to use iptables.  However, with the ipchains
>module loaded, iptables won't load.
>You/we may want to add something that makes sure the correct kernel module
>is loaded (or more importantly that the incorrect module is not loaded as
>linux seems to be pretty good at loading up the one that is currently
>needed).

I made a change to do that. The newest version is attached.