netbsd-help: Re: got "/ipf.core"

Subject: Re: got "/ipf.core"
To: None <netbsd-help@netbsd.org>
From: Henry Nelson <henry@irm.nara.kindai.ac.jp>
List: netbsd-help
Date: 03/23/2000 11:17:43
> > "/ipf.core" was generated on my 1.4.1 system.  Since I eventually hope
> > to build a firewall based on ipfilter, it has me a bit worried about the
> > security level I can expect.
> 
> core dumps can have a lot of origins, including hardware failure.

I have tested the cpu cache, extended memory, hdd and nics as thoroughly
as possible.  There are no symptoms of any problems whatsoever.  The
machine referred to in this post is essentially a stock IBM Aptiva 720,
100MHz-486 cpu, 32MB memory, 1.2GB hdd.

> Maybe you've a problem with your rules ?

Since I'm a complete novice, that is quite possible.  Still, it is a bit
disconcerting that error(s) in rules would cause a core dump.  Is there
some warning issued by ipf that the rules in ipf.conf are incongruous?

Appended to this message is my ipf.conf file in case someone is interested
in scrutinizing the rules.

> However, ipf is only used for initialising the filters rules, all happens in
> kernel after; so a ipf core dump shoudln't leave your system wide open.

If the rules are not read in because of an ipf core dump (I'm not saying
that is the case, because I plain don't know.), doesn't that mean that the
kernel's ipfilter module would fall back to the default rules?  Isn't the
default PASS IN/OUT ALL?

henry nelson

PS: To save bandwidth, I'll say thanks to the person who advised me to move
on to 1.4.2.  I will do that before putting the machine in question "on line."

 ********************** ipf.conf **********************
block in quick all with short
block in log quick all with opt lsrr
block in log quick all with opt ssrr
block in log quick all with ipopts
pass in on ne0 all
pass out on ne0 all
pass in on lo0 all
pass out on lo0 all
block in on ix0 all
block out on ix0 all
block in quick on ix0 from 10.0.0.0/8 to any
block in quick on ix0 from 192.168.0.0/16 to any
block in quick on ix0 from 172.16.0.0/12 to any
pass out on ix0 proto icmp all keep state
pass out on ix0 proto tcp/udp from any to any keep state
pass in quick on ix0 proto tcp from 164.71.0.0/16 to any port = smtp flags S/SA keep state
pass in quick on ix0 proto tcp from any to any port = ftp-data keep state
pass in quick on ix0 proto tcp from any port = ftp-data to any port > 1023 keep state
block return-rst in log on ix0 proto tcp from any to any flags SA/SA
block return-icmp(net-unr) in log on ix0 proto udp from any to any