Very Computer

by **Pierre Girar** » Sat, 18 Mar 2006 00:20:29

Hello,
we wrote a simple rules file to allow only ssh in and we had
problem to make it work. We finally realized that reordering some lines
make it works but in our opinion it shouldn't make any difference.

Can anyone explain why this configuration works:

block in all
pass out on bge0 from any to any flags S keep state

pass in on lo0 all
pass out on lo0 all

pass in on bge0 proto tcp from any to any port = 22 keep state

and this one doesn't:

block in all

pass in on lo0 all
pass out on lo0 all

pass in on bge0 proto tcp from any to any port = 22 keep state

pass out on bge0 from any to any flags S keep state

We only moved the pass out rule from top to bottom and there aren't any
other out rules on the interface so according to the documentation it
shouldn't matter since it should be the only rule that matches and if it
matches in one case it should match in the other.

This is on solaris 10ga on x86 with the installed ipfilter.

ipf: IP Filter: v4.0.2 (592)
Kernel: IP Filter: v4.0.2
Running: yes
Log Flags: 0 = none set
Default: pass all, Logging: available
Active list: 1

online 10:40:53 svc:/network/pfil:default
online 10:40:56 svc:/network/ipfilter:default

Thanks for your help.

by **Robert Lawhea** » Sat, 18 Mar 2006 03:33:12

> Hello,
> we wrote a simple rules file to allow only ssh in and we had problem
> to make it work. We finally realized that reordering some lines make
> it works but in our opinion it shouldn't make any difference.

> Can anyone explain why this configuration works:

> block in all
> pass out on bge0 from any to any flags S keep state

> pass in on lo0 all
> pass out on lo0 all

> pass in on bge0 proto tcp from any to any port = 22 keep state

> and this one doesn't:

> block in all

> pass in on lo0 all
> pass out on lo0 all

> pass in on bge0 proto tcp from any to any port = 22 keep state

> pass out on bge0 from any to any flags S keep state

> We only moved the pass out rule from top to bottom and there aren't any
> other out rules on the interface so according to the documentation it
> shouldn't matter since it should be the only rule that matches and if it
> matches in one case it should match in the other.

> This is on solaris 10ga on x86 with the installed ipfilter.

> ipf: IP Filter: v4.0.2 (592)
> Kernel: IP Filter: v4.0.2
> Running: yes
> Log Flags: 0 = none set
> Default: pass all, Logging: available
> Active list: 1

> online 10:40:53 svc:/network/pfil:default
> online 10:40:56 svc:/network/ipfilter:default

> Thanks for your help.

It might help if you refined your description of the problem
(including any relevant log entries), as well as the rules in
force when the failure occurs. You can see the active rules
using the ipfstat -i and ipfstat -o commands.

by **Pierre Girar** » Sat, 18 Mar 2006 05:30:50

> It might help if you refined your description of the problem
> (including any relevant log entries), as well as the rules in
> force when the failure occurs. You can see the active rules
> using the ipfstat -i and ipfstat -o commands.

Actually the ipf command was* (and that caused ssh not to work).
It seems we forgot to change the nsswitch.conf file to check files
before nis and the system was* on nis requests.

Very Computer

ipfilter why does moving a rule break it?

ipfilter why does moving a rule break it?

ipfilter why does moving a rule break it?

ipfilter why does moving a rule break it?