Gaining insight on IPFilter "block return-icmp" rules
By Eric Kozlowski on Jun 21, 2005
Recently I needed to verify some "block return-rst" functionality in Solaris IPFilter. I learned of a way to easily test these type of rules using 2 servers. The procedure is as follows:
2 servers, A and B, that area able to connect to each other.
Server A: any type of machine
Server B: running Solaris 10 and has IPFilter enabled for the active network interfaces. Its IPFilter rule file contains a line with "block return-icmp in on <interface name> proto tcp from any to any port = ssh flags S/FSRPAU". <interface> is the NIC that will be used for traffic to and from server A.
Steps to activate the rule:
1. On server A, connect to the SSH port with "telnet <server B> 22"
2. Server A will eventually time out due to the "block return-icmp" rule that was added.
Interesting live debugging:
1. On server B, run "ipstat -hi" to verify that the "block return-icmp" rule was activated by the SSH request.
2. Use tcpdump, Ethereal, or snoop to view the traffic exchange:
tcpdump -nXvvvi <interface name> -s 1536 tcp port 22
3. Use truss to view the callstack of the running pfild process: truss -p -t sendto -x sendto -v all -r -w -D <process number of pfild>
Examining the tcpdump and truss output should give you a good idea of how return-rst and return-icmp rules work and how your firewall configuration may benefit from them.