[CALUG] Vulnerability Scanner knocks down firewall

Mark Parsons mark.parsons at gmail.com
Mon Dec 12 18:39:03 CST 2005


Hello Everyone,

I am currently having an issue with a pf based openbsd firewall that
fronts several oracle servers, apache, tomcat and jrun
servers.Recently the network vulnerability scanner that is used by the
security office knocked down all resources behind the firewall. All
attempts by their scanner and ours produce the same results.

 We have been doing some testing and a simple tcp port scan with nmap
(nmap -sT -p 1-10000 ...) to a host (protected by the firewall) causes
the firewall to not accept new SYN connections but will usually allow
SYN to go outbound (sometimes). However existing connections are
always supported.  Within 1 minute after the scan is finished, all
things recover.  Doing a udp scan does not affect the system.

The servers in question are openbsd 3.6, we have upgraded the test
server to 3.8 and the symptoms are still there.  Below is the pf.conf
for the test server that is front a single server that is hosting a
static website under a Suse Linux Enterprise Server 9 system running
apache 2.0.53


We have tried adding flags S/SA and using modulate state to our pf
entries but still had no luck.

Does any one have any suggestions ? Any and all suggestions are very
much appreciated.

ext_if="bge0"
int_if="bge1"
pri_net="192.168.100.0/24"

network_monitor="xxx.xxx.xxx.xxx"
vuln_scan="{xxx.xxx.xxx.xxx, xxx.xxx.xxx.xxx}"


fs1_test_pub="xxx.xxx.xxx.121"
fs1_test_pri="192.168.100.48"

set loginterface $int_if
set block-policy  drop


binat on $ext_if from $fs1_test_pri to any -> $fs1_test_pub

#block in log all
#block out log all
block in all
block out all

pass quick on lo0 all
anchor "authpf/*"
#This allows ssh traffic with out needing authpf
pass in on $ext_if proto tcp from any to $ext_if port 22 keep state
pass in on $ext_if proto tcp from any to $fs1_test_pri port 22 keep state

#This allows port 80 traffic to test box natted behind firewall
pass in on $ext_if proto tcp from any to $fs1_test_pri port 80 keep state

# Allow icmp access for Vuln_Scanner
pass in on $ext_if proto {tcp, udp, icmp} from $vuln_scan to $ext_if keep state
pass in on $ext_if proto {tcp, udp, icmp} from $vuln_scan to $pri_net keep state

# These allow for nagios to be able to monitor the servers
pass in on $ext_if proto icmp from $network_monitor to $ext_if keep state
pass in on $ext_if proto icmp from $network_monitor to $pri_net keep state
pass in on $ext_if proto tcp from $network_monitor to $pri_net port
5666 keep state
pass in on $ext_if proto tcp from $network_monitor to $pri_net port 22
keep state

# These allow all outbound traffic to leave the firewall
pass in on $int_if all keep state
pass out on $int_if all keep state
pass out on $ext_if all keep state

Thanks for your help.

Mark


More information about the lug mailing list