Questions on ipf in SCO 5.0.7 - SCO

This is a discussion on Questions on ipf in SCO 5.0.7 - SCO ; I have not used ipf in the past. I have searched Google for how to's and docs and find a confusing reference to IP address 20.20.20.1. Searching Google for 20.20.20.1 turns up more of the same, its used with no ...

+ Reply to Thread
Results 1 to 8 of 8

Thread: Questions on ipf in SCO 5.0.7

  1. Questions on ipf in SCO 5.0.7

    I have not used ipf in the past. I have searched Google for
    how to's and docs and find a confusing reference to
    IP address 20.20.20.1.

    Searching Google for 20.20.20.1 turns up more of the same,
    its used with no explanation.

    Is this some defined address in the TCP spectrum?

    OR is the authors just using it to represent the local
    interface?
    --

    Steve Fabac
    S.M. Fabac & Associates
    816/765-1670

  2. Re: Questions on ipf in SCO 5.0.7

    Steve M. Fabac, Jr. typed (on Fri, Sep 15, 2006 at 09:32:01PM +0000):
    | I have not used ipf in the past. I have searched Google for
    | how to's and docs and find a confusing reference to
    | IP address 20.20.20.1.
    |
    | Searching Google for 20.20.20.1 turns up more of the same,
    | its used with no explanation.
    |
    | Is this some defined address in the TCP spectrum?
    |
    | OR is the authors just using it to represent the local
    | interface?

    The latter, it's just a smaple number.

    --
    JP
    ==> http://www.frappr.com/cusm <==

  3. Re: Questions on ipf in SCO 5.0.7

    Jean-Pierre Radley wrote:
    >
    > Steve M. Fabac, Jr. typed (on Fri, Sep 15, 2006 at 09:32:01PM +0000):
    > | I have not used ipf in the past. I have searched Google for
    > | how to's and docs and find a confusing reference to
    > | IP address 20.20.20.1.
    > |
    > | Searching Google for 20.20.20.1 turns up more of the same,
    > | its used with no explanation.
    > |
    > | Is this some defined address in the TCP spectrum?
    > |
    > | OR is the authors just using it to represent the local
    > | interface?
    >
    > The latter, it's just a smaple number.
    >
    > --
    > JP
    > ==> http://www.frappr.com/cusm <==


    Thanks JP. That was driving me crazy. All searches in Google
    on 20.20.20 turned up A LOT of things people had written using
    that IP in their configuration/application examples but NONE
    indicated that it was being used as an example only of a local
    LAN IP.


    While I have your attention: From the document at:

    http://www.obfuscation.org/ipf/ipf-howto.txt

    > 2.11. Filtering ICMP with the "icmp-type" Keyword; Merging
    > Rulesets
    >
    > Of course, dropping all ICMP isn't really an ideal sit-
    > uation. Why not drop all ICMP? Well, because it's useful
    > to have partially enabled. So maybe you want to keep some
    > types of ICMP traffic and drop other kinds. If you want
    > ping and traceroute to work, you need to let in ICMP types 0
    > and 11. Strictly speaking, this might not be a good idea,
    > but if you need to weigh security against convenience, IPF
    > lets you do it.
    >
    > pass in quick on tun0 proto icmp from any to 20.20.20.0/24 icmp-type 0
    > pass in quick on tun0 proto icmp from any to 20.20.20.0/24 icmp-type 11
    >
    > Remember that ruleset order is important. Since we're doing
    > everything quick we must have our passes before our blocks,
    > so we really want the last three rules in this order:
    >
    > pass in quick on tun0 proto icmp from any to 20.20.20.0/24 icmp-type 0
    > pass in quick on tun0 proto icmp from any to 20.20.20.0/24 icmp-type 11
    > block in log quick on tun0 proto icmp from any to any


    The author's example above is for a Firewall machine with two NIC's and a protected
    local LAN. I was trying to apply the above to a LAN where I use a cable/DSL router
    with NAT with a local LAN IP address of 192.168.111.251 and the SCO 5.0.7 box on
    192.168.111.231. (Just to see if the above is usable). Any modifications
    I tried (obviously chugging tun0 to net0) and 20.20.20.0/24 to all permutations of the
    UNIX box's IP address (or just the 192.168.111.0 network) would not return a ping
    from a windows machine at 192.168.111.10 when the third line was present. Commenting
    out the "block in log quick on net0 proto icmp from any to any" allowed ping to
    work as normal.

    Do the three icmp rules above make sense to you? Can you suggest the proper
    modifications to work in the 192.168.111.0 network?

    TIA



    --

    Steve Fabac
    S.M. Fabac & Associates
    816/765-1670

  4. Re: Questions on ipf in SCO 5.0.7

    Steve M. Fabac, Jr. typed (on Fri, Sep 15, 2006 at 11:04:38PM +0000):
    | Jean-Pierre Radley wrote:
    | >
    | > Steve M. Fabac, Jr. typed (on Fri, Sep 15, 2006 at 09:32:01PM +0000):
    | > | I have not used ipf in the past. I have searched Google for
    | > | how to's and docs and find a confusing reference to
    | > | IP address 20.20.20.1.
    | > |
    | > | Searching Google for 20.20.20.1 turns up more of the same,
    | > | its used with no explanation.
    | > |
    | > | Is this some defined address in the TCP spectrum?
    | > |
    | > | OR is the authors just using it to represent the local
    | > | interface?
    | >
    | > The latter, it's just a sample number.
    |
    | Thanks JP. That was driving me crazy. All searches in Google
    | on 20.20.20 turned up A LOT of things people had written using
    | that IP in their configuration/application examples but NONE
    | indicated that it was being used as an example only of a local
    | LAN IP.
    |
    | While I have your attention: From the document at:
    |
    | http://www.obfuscation.org/ipf/ipf-howto.txt

    On page 8 of that document it says:

    When you have an internal network, say 20.20.20.0/24, ...

    I guess you missed it... :-(

    | > 2.11. Filtering ICMP with the "icmp-type" Keyword; Merging
    | > Rulesets
    | >
    | > Of course, dropping all ICMP isn't really an ideal sit-
    | > uation. Why not drop all ICMP? Well, because it's useful
    | > to have partially enabled. So maybe you want to keep some
    | > types of ICMP traffic and drop other kinds. If you want
    | > ping and traceroute to work, you need to let in ICMP types 0
    | > and 11. Strictly speaking, this might not be a good idea,
    | > but if you need to weigh security against convenience, IPF
    | > lets you do it.
    | >
    | > pass in quick on tun0 proto icmp from any to 20.20.20.0/24 icmp-type 0
    | > pass in quick on tun0 proto icmp from any to 20.20.20.0/24 icmp-type 11
    | >
    | > Remember that ruleset order is important. Since we're doing
    | > everything quick we must have our passes before our blocks,
    | > so we really want the last three rules in this order:
    | >
    | > pass in quick on tun0 proto icmp from any to 20.20.20.0/24 icmp-type 0
    | > pass in quick on tun0 proto icmp from any to 20.20.20.0/24 icmp-type 11
    | > block in log quick on tun0 proto icmp from any to any

    |
    | The author's example above is for a Firewall machine with two NIC's
    | and a protected local LAN. I was trying to apply the above to a LAN
    | where I use a cable/DSL router with NAT with a local LAN IP address
    | of 192.168.111.251 and the SCO 5.0.7 box on 192.168.111.231. (Just
    | to see if the above is usable). Any modifications I tried (obviously
    | chugging tun0 to net0) and 20.20.20.0/24 to all permutations of the
    | UNIX box's IP address (or just the 192.168.111.0 network) would not
    | return a ping from a windows machine at 192.168.111.10 when the third
    | line was present. Commenting out the "block in log quick on net0 proto
    | icmp from any to any" allowed ping to work as normal.
    |
    | Do the three icmp rules above make sense to you? Can you suggest the
    | proper modifications to work in the 192.168.111.0 network?

    I hate to say this, but could we have discovered an error in the HowTo?

    At http://www.rhyshaden.com/icmp.htm, I see:

    Type 0 - Echo Reply - this is the Echo reply from the end station
    which is sent as a result of the Type 8 Echo. The Variable field
    is made up of a 2 octet Identifier and a 2 octet Sequence Number.
    The Identifier matches the Echo with the Echo Reply and the
    sequence number normally increments by one for each Echo sent.
    These two numbers are sent back to the Echo issuer in the Echo
    Reply.

    ...

    Type 8 - Echo Request - this is sent by Ping (Packet Internet
    Groper) to a destination in order to check connectivity. The
    Variable field is made up of a 2 octet Identifier and a 2 octet
    Sequence Number. The Identifier matches the Echo with the Echo
    Reply and the sequence number normally increments by one for each
    Echo sent. These two numbers are sent back to the Echo issuer in
    the Echo Reply.

    So if I change icmp-type 0 to icmp-type 8 in the three lines you cite,
    the effect is to allow incoming pings from my LAN.

    --
    JP
    ==> http://www.frappr.com/cusm <==

  5. Re: Questions on ipf in SCO 5.0.7

    Jean-Pierre Radley wrote:
    >
    > Steve M. Fabac, Jr. typed (on Fri, Sep 15, 2006 at 11:04:38PM +0000):
    > | Jean-Pierre Radley wrote:
    > | >
    > | > Steve M. Fabac, Jr. typed (on Fri, Sep 15, 2006 at 09:32:01PM +0000):
    > | > | I have not used ipf in the past. I have searched Google for
    > | > | how to's and docs and find a confusing reference to
    > | > | IP address 20.20.20.1.
    > | > |
    > | > | Searching Google for 20.20.20.1 turns up more of the same,
    > | > | its used with no explanation.
    > | > |
    > | > | Is this some defined address in the TCP spectrum?
    > | > |
    > | > | OR is the authors just using it to represent the local
    > | > | interface?
    > | >
    > | > The latter, it's just a sample number.
    > |
    > | Thanks JP. That was driving me crazy. All searches in Google
    > | on 20.20.20 turned up A LOT of things people had written using
    > | that IP in their configuration/application examples but NONE
    > | indicated that it was being used as an example only of a local
    > | LAN IP.
    > |
    > | While I have your attention: From the document at:
    > |
    > | http://www.obfuscation.org/ipf/ipf-howto.txt
    >
    > On page 8 of that document it says:
    >
    > When you have an internal network, say 20.20.20.0/24, ...
    >
    > I guess you missed it... :-(


    Guilty as charged. When (and if) I read documentation, I skim it
    to locate the items I am interested in. Going back and re reading
    the ipf-howto.txt I see:

    192.0.2.0/24 has also been reserved for use as an example IP
    netblock for documentation authors. We specifically do not
    use this range as it would cause confusion when we tell you
    to block it, and thus all our examples come from
    20.20.20.0/24.

    Well, again, clear to the author but still confusing. I would change
    it to:

    192.0.2.0/24 has also been reserved for use as an example IP
    netblock for documentation authors. However, we choose not
    use this range as it may cause confusion when we tell you
    to block it. And therefor, in all the following examples, we specify
    20.20.20.0/24 as our local LAN.

    >
    > | > 2.11. Filtering ICMP with the "icmp-type" Keyword; Merging
    > | > Rulesets
    > | >
    > | > Of course, dropping all ICMP isn't really an ideal sit-
    > | > uation. Why not drop all ICMP? Well, because it's useful
    > | > to have partially enabled. So maybe you want to keep some
    > | > types of ICMP traffic and drop other kinds. If you want
    > | > ping and traceroute to work, you need to let in ICMP types 0
    > | > and 11. Strictly speaking, this might not be a good idea,
    > | > but if you need to weigh security against convenience, IPF
    > | > lets you do it.
    > | >
    > | > pass in quick on tun0 proto icmp from any to 20.20.20.0/24 icmp-type 0
    > | > pass in quick on tun0 proto icmp from any to 20.20.20.0/24 icmp-type 11
    > | >
    > | > Remember that ruleset order is important. Since we're doing
    > | > everything quick we must have our passes before our blocks,
    > | > so we really want the last three rules in this order:
    > | >
    > | > pass in quick on tun0 proto icmp from any to 20.20.20.0/24 icmp-type 0
    > | > pass in quick on tun0 proto icmp from any to 20.20.20.0/24 icmp-type 11
    > | > block in log quick on tun0 proto icmp from any to any
    >
    > |
    > | The author's example above is for a Firewall machine with two NIC's
    > | and a protected local LAN. I was trying to apply the above to a LAN
    > | where I use a cable/DSL router with NAT with a local LAN IP address
    > | of 192.168.111.251 and the SCO 5.0.7 box on 192.168.111.231. (Just
    > | to see if the above is usable). Any modifications I tried (obviously
    > | chugging tun0 to net0) and 20.20.20.0/24 to all permutations of the
    > | UNIX box's IP address (or just the 192.168.111.0 network) would not
    > | return a ping from a windows machine at 192.168.111.10 when the third
    > | line was present. Commenting out the "block in log quick on net0 proto
    > | icmp from any to any" allowed ping to work as normal.
    > |
    > | Do the three icmp rules above make sense to you? Can you suggest the
    > | proper modifications to work in the 192.168.111.0 network?
    >
    > I hate to say this, but could we have discovered an error in the HowTo?
    >
    > At http://www.rhyshaden.com/icmp.htm, I see:
    >
    > Type 0 - Echo Reply - this is the Echo reply from the end station
    > which is sent as a result of the Type 8 Echo. The Variable field
    > is made up of a 2 octet Identifier and a 2 octet Sequence Number.
    > The Identifier matches the Echo with the Echo Reply and the
    > sequence number normally increments by one for each Echo sent.
    > These two numbers are sent back to the Echo issuer in the Echo
    > Reply.
    >
    > ...
    >
    > Type 8 - Echo Request - this is sent by Ping (Packet Internet
    > Groper) to a destination in order to check connectivity. The
    > Variable field is made up of a 2 octet Identifier and a 2 octet
    > Sequence Number. The Identifier matches the Echo with the Echo
    > Reply and the sequence number normally increments by one for each
    > Echo sent. These two numbers are sent back to the Echo issuer in
    > the Echo Reply.
    >
    > So if I change icmp-type 0 to icmp-type 8 in the three lines you cite,
    > the effect is to allow incoming pings from my LAN.


    Yep, setting the following in my ipf.conf allows me to ping from my desktop
    windows machine to the UNIX box at 192.168.111.231:

    # Limit ICOMP to only type 8 (Echo Request) and type 11 (Time Exceeded)
    #
    pass in quick on net0 proto icmp from any to 192.168.111.0/24 icmp-type 8
    #pass in quick on net0 proto icmp from any to 192.168.111.0/24 icmp-type 11
    block in log quick on net0 proto icmp from any to any

    Funny, tracert from the windows box to the UNIX box succeeds when only
    icmp-type 8 is enabled and fails when only icmp-type 11 is enabled. When both
    8 and 11 are enabled tracert succeeds but the setting of 11 is superfluous as
    trace route appears to only need icmp-type 8 to work on the local LAN. And using
    trace route across the internet to the public IP address of the cable/dsl router
    is successful only if the router has "respond to ICMP" enabled.

    Thanks again JP for all your help.

    --

    Steve Fabac
    S.M. Fabac & Associates
    816/765-1670

  6. Re: Questions on ipf in SCO 5.0.7

    In article <450CCA1F.E94484E7@att.net>,
    Steve M. Fabac, Jr. wrote:
    >Jean-Pierre Radley wrote:
    >>
    >> Steve M. Fabac, Jr. typed (on Fri, Sep 15, 2006 at 11:04:38PM +0000):
    >> | Jean-Pierre Radley wrote:
    >> | >
    >> | > Steve M. Fabac, Jr. typed (on Fri, Sep 15, 2006 at 09:32:01PM +0000):
    >> | > | I have not used ipf in the past. I have searched Google for
    >> | > | how to's and docs and find a confusing reference to
    >> | > | IP address 20.20.20.1.
    >> | > |
    >> | > | Searching Google for 20.20.20.1 turns up more of the same,
    >> | > | its used with no explanation.
    >> | > |
    >> | > | Is this some defined address in the TCP spectrum?
    >> | > |
    >> | > | OR is the authors just using it to represent the local
    >> | > | interface?
    >> | >
    >> | > The latter, it's just a sample number.
    >> |
    >> | Thanks JP. That was driving me crazy. All searches in Google
    >> | on 20.20.20 turned up A LOT of things people had written using
    >> | that IP in their configuration/application examples but NONE
    >> | indicated that it was being used as an example only of a local
    >> | LAN IP.
    >> |
    >> | While I have your attention: From the document at:
    >> |
    >> | http://www.obfuscation.org/ipf/ipf-howto.txt
    >>
    >> On page 8 of that document it says:
    >>
    >> When you have an internal network, say 20.20.20.0/24, ...
    >>
    >> I guess you missed it... :-(

    >
    >Guilty as charged. When (and if) I read documentation, I skim it
    >to locate the items I am interested in. Going back and re reading
    >the ipf-howto.txt I see:
    >
    >192.0.2.0/24 has also been reserved for use as an example IP
    >netblock for documentation authors. We specifically do not
    >use this range as it would cause confusion when we tell you
    >to block it, and thus all our examples come from
    >20.20.20.0/24.


    >Well, again, clear to the author but still confusing. I would change
    >it to:


    >192.0.2.0/24 has also been reserved for use as an example IP
    >netblock for documentation authors. However, we choose not
    >use this range as it may cause confusion when we tell you
    >to block it. And therefor, in all the following examples, we specify
    >20.20.20.0/24 as our local LAN.


    The 192.0.0.0 thru 192.0.2.255 is shown as reserverd so it's
    freely useable. as are the typical 192.168.0.0, as are others,
    but the 20.20.20.0 block is shown as belonging to CSC - Computer
    Sciences Corporation who is shown as owner of the complete
    20.0.0.0/8 block assingment. I can see why using legitimate IP
    numbers could lead to confusion.


    --
    Bill Vermillion - bv @ wjv . com

  7. Re: Questions on ipf in SCO 5.0.7

    Bill Vermillion typed (on Sun, Sep 17, 2006 at 04:35:01PM +0000):
    | ... the 20.20.20.0 block is shown as belonging to CSC - Computer
    | Sciences Corporation who is shown as owner of the complete
    | 20.0.0.0/8 block assingment.

    What's a URL where one can find the name associated with an IP address
    range?


    --
    JP
    ==> http://www.frappr.com/cusm <==

  8. Re: Questions on ipf in SCO 5.0.7



    On Sun, 17 Sep 2006, Jean-Pierre Radley wrote:

    > Bill Vermillion typed (on Sun, Sep 17, 2006 at 04:35:01PM +0000):
    > | ... the 20.20.20.0 block is shown as belonging to CSC - Computer
    > | Sciences Corporation who is shown as owner of the complete
    > | 20.0.0.0/8 block assingment.
    >
    > What's a URL where one can find the name associated with an IP address
    > range?


    URL? We dont need any st*nk*ng URLs:

    $ whois 20.20.20.0

    OrgName: Computer Sciences Corporation
    OrgID: CSC-68
    Address: 3170 Fairview Park Drive
    City: Falls Church
    StateProv: VA
    PostalCode: 22042
    Country: US

    NetRange: 20.0.0.0 - 20.255.255.255
    CIDR: 20.0.0.0/8
    NetName: CSC
    NetHandle: NET-20-0-0-0-1
    Parent:
    NetType: Direct Assignment
    NameServer: NS1.CSC.COM
    NameServer: NS2.CSC.COM
    Comment:
    RegDate: 1989-09-04
    Updated: 2006-04-20

    OrgAbuseHandle: ABUSE1164-ARIN
    OrgAbuseName: Abuse
    OrgAbusePhone: +1-703-641-3588
    OrgAbuseEmail: abuse@csc.com

    OrgTechHandle: IPADM299-ARIN
    OrgTechName: IPADMIN
    OrgTechPhone: +1-703-641-3588
    OrgTechEmail: ipadmin@csc.com

    # ARIN WHOIS database, last updated 2006-09-16 19:10


+ Reply to Thread