Gaining insight on IPFilter "block return-icmp" rules


Recently I needed to verify some "block return-rst" functionality in Solaris IPFilter. I learned of a way to easily test these type of rules using 2 servers. The procedure is as follows:

Equipment required:

2 servers, A and B, that area able to connect to each other.
Server A: any type of machine
Server B: running Solaris 10 and has IPFilter enabled for the active network interfaces. Its IPFilter rule file contains a line with "block return-icmp in on <interface name> proto tcp from any to any port = ssh flags S/FSRPAU". <interface> is the NIC that will be used for traffic to and from server A.

Steps to activate the rule:

1. On server A, connect to the SSH port with "telnet <server B> 22"

2. Server A will eventually time out due to the "block return-icmp" rule that was added.

Interesting live debugging:

1. On server B, run "ipstat -hi" to verify that the "block return-icmp" rule was activated by the SSH request.

2. Use tcpdump, Ethereal, or snoop to view the traffic exchange:

tcpdump -nXvvvi <interface name> -s 1536 tcp port 22

3. Use truss to view the callstack of the running pfild process: truss -p -t sendto -x sendto -v all -r -w -D <process number of pfild>

Examining the tcpdump and truss output should give you a good idea of how return-rst and return-icmp rules work and how your firewall configuration may benefit from them.

Comments:

Post a Comment:
  • HTML Syntax: NOT allowed
About

Oracle Solaris: Security, Networking, and Quality Engineering

Oracle Solaris 11 Launch
November 9, New York City
Register Now!

Search

Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today