Re: Please Help - Strange problem with my servers - Locked out
From: Michael J. Pelletier (mjpelletier_at_mjpelletier.com)
Date: 12/10/04
- Next message: Michael J. Pelletier: "Re: Virus's in images?"
- Previous message: Michael J. Pelletier: "Re: DMZ Setup"
- In reply to: dean_at_cordeth.com: "Please Help - Strange problem with my servers - Locked out"
- Next in thread: Jason Bourne: "Re: Please Help - Strange problem with my servers - Locked out"
- Reply: Jason Bourne: "Re: Please Help - Strange problem with my servers - Locked out"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 09 Dec 2004 21:37:19 -0800
deadefinitelycom wrote:
> I have something strange going on with the two servers I manage, they
> can't talk to each other...
>
> Servers are FreeBSD 4.10 - running
> apache
> zope
> plone
> postgresql
> postfix
> courier
> ipf (KLM) (was kernal then changed back to module)
> snort
> tripwire
> chkrootkit
>
> Some security setting from the FreeBSD web site e.g. blackhole settings
> etc
>
> This is the problem, I have 3 networks, HOME, WORK and COLO
>
> I have a development server on the HOME network behind a ADSL modem
> (which has the firewall and ID turned off, NAT on)
> The other server (production) is directly connected to the Internet
> I have a workstation (FreeBSD) on the WORK network.
>
> The WORK network can talk to both HOME and COLO (ssh, web, mail etc)
> The HOME network can't talk to the COLO server at all, (both the HOME
> server and my WinXP workstation on teh same network)
> The COLO network can't talk to the HOME network at all
>
> Doing a traceroute, packets reach the router in front of both servers
> then get droped...
> Nothing shows up in the firewall logs, I've even reverted to a pass all
> ipf rule set still no go...
>
> I think the problem started when I used nmap to port scan the servers
> to test for holes?
>
> Does snort drop packets? I've shut it down and still no go?
>
> Here is my current ipf rule set on the COLO server the one on the HOME
> serve is nearly identical if needed:
>
> *******************************************
> block in all with frag
> block in proto tcp all with short
> block in all with ipopts
>
> #Allow loopback
> pass in quick on lo0 all
> pass out quick on lo0 all
>
> #Allow local LAN
> pass out quick on xl0 all
>
> #Block Spoofing
> block in quick on xl0 from 192.168.0.0/16 to any
> block in quick on xl0 from 172.16.0.0/12 to any
> block in quick on xl0 from 10.0.0.0/8 to any
> block in quick on xl0 from 127.0.0.0/8 to any
> block in quick on xl0 from 0.0.0.0/8 to any
> block in quick on xl0 from 169.254.0.0/16 to any
> block in quick on xl0 from 192.0.2.0/24 to any
> block in quick on xl0 from 204.152.64.0/23 to any
> block in quick on xl0 from 224.0.0.0/3 to any
> block out quick on xl0 from any to 192.168.0.0/16
> block out quick on xl0 from any to 172.16.0.0/12
> block out quick on xl0 from any to 10.0.0.0/8
> block out quick on xl0 from any to 0.0.0.0/8
> block out quick on xl0 from any to 127.0.0.0/8
> block out quick on xl0 from any to 169.254.0.0/16
> block out quick on xl0 from any to 192.0.2.0/24
> block out quick on xl0 from any to 204.152.64.0/23
> block out quick on xl0 from any to 224.0.0.0/3
>
> #Other
> block in quick on fxp0 proto tcp from any to any port = 139 flags S
> keep state
> block in quick on fxp0 proto tcp from any to any port = 445 flags S
> keep state
>
> #Block ICMP
> pass in quick on xl0 proto icmp from any to any icmp-type 0
> pass in quick on xl0 proto icmp from any to any icmp-type 11
> block in quick on xl0 proto icmp from any to any
>
> #Allow rsync access
> pass in quick on fxp0 proto tcp from x.x.x.0/24 to any port = 873 flags
> S keep state
> block in quick on fxp0 proto tcp from any to any port = 873 flags S
> keep state
>
> #Allow ssh access
> pass in quick on xl0 proto tcp from x.x.x.x to any port = 22 flags S/SA
> keep state
> pass in quick on xl0 proto tcp from x.x.x.x to any port = 22 flags S/SA
> keep state
> pass in quick on xl0 proto tcp from x.x.x.x to any port = 22 flags S
> keep state
> pass in quick on xl0 proto tcp from x.x.x.0/24 to any port = 22 flags S
> keep state
> block in log first quick on xl0 proto tcp from any to any port = 22
> flags S keep state
>
> #Allow SMTP access
> block return-rst in on xl0 proto tcp from any to any port = 113 flags S
> keep state
> pass in quick on xl0 proto tcp from any to any port = 25 flags S/SA
> keep state keep frags
>
> #Allow every thing in [debug]
> pass in log first quick on xl0 all
>
> #Logging and block all
> block in log first quick on xl0 all
> *******************************************
>
> Any pointers in the right direction would be great...getting
> frustrated...
>
> Dean Grubb
It definitely sounds like a ruleset problem. I did not go through all of
your rules as it is too late and I am tired. Try an experiment. In the top
of your firewall rules make a rule the accepts all packets from the server
in question (put it on the top of your ruleset). If this fixes your problem
then you know that your rules are messed up.
I run Snort and have never had a problem with packet loss. Snort "listens"
to connections but should not cause loss to the system. Snort might run out
of buffer space and not "see" 100%. I think that could be
possible...anyway, try the experiment and see if that fixes it.
Michael
- Next message: Michael J. Pelletier: "Re: Virus's in images?"
- Previous message: Michael J. Pelletier: "Re: DMZ Setup"
- In reply to: dean_at_cordeth.com: "Please Help - Strange problem with my servers - Locked out"
- Next in thread: Jason Bourne: "Re: Please Help - Strange problem with my servers - Locked out"
- Reply: Jason Bourne: "Re: Please Help - Strange problem with my servers - Locked out"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
