Ok, that is fair enough.
I did manage to get it up and running without locking myself out though *yay*
I am having 2 issues mainly.
FTP doesn't work at all (PASV or not), and I am getting allot of false drops on packets which *should* be allowed...
Quick dump from the log file:
May 2 12:11:03 pyro ipmon[8689]: 12:11:02.335403 rl0 @0:62 b y.y.195.133,1201 -> x.x.x.123,3128 PR tcp len 20 40 -AF IN
May 2 12:11:05 pyro ipmon[8689]: 12:11:04.760397 rl0 @0:62 b y.y.195.133,1201 -> x.x.x.123,3128 PR tcp len 20 40 -AF IN
May 2 12:11:10 pyro ipmon[8689]: 12:11:09.787481 rl0 @0:62 b y.y195.133,1201 -> x.x.x.123,3128 PR tcp len 20 40 -AF IN
May 2 12:11:20 pyro ipmon[8689]: 12:11:19.744860 rl0 @0:62 b y.y.195.133,1201 -> x.x.x.123,3128 PR tcp len 20 40 -AF IN
May 2 12:11:40 pyro ipmon[8689]: 12:11:39.760718 rl0 @0:62 b y.y.195.133,1201 -> x.x.x.123,3128 PR tcp len 20 40 -AF IN
/etc/ipf.rules: # lo0 - Loopback pass in quick on lo0 all keep state pass out quick on lo0 all keep state
# Bad Packet Murder block in log quick all with ipopts block in log quick all with short block in log quick all with frag block return-rst in log quick proto tcp all flags FUP block return-rst in log quick proto tcp all flags FSRPAU
#################################################################
# Outside Interfaces
#################################################################
# rl0 - Outgoing
pass out quick on rl0 proto tcp from x.x.x.120/29 to any flags S keep state keep frags
pass out quick on rl0 proto udp from x.x.x.120/29 to any keep state keep frags
pass out quick on rl0 proto icmp from x.x.x.120/29 to any keep state keep frags
block out log quick on rl0 all
################################################################# # Block and log all remaining traffic coming into the firewall # - Block TCP with a RST (to make it appear as if the service # isn't listening) # - Block UDP with an ICMP Port Unreachable (to make it appear # as if the service isn't listening) # - Block all remaining traffic the good 'ol fashioned way ################################################################# # rl0 - Global Incoming block in quick on rl0 from 0.0.0.0/7 to any block in quick on rl0 from 2.0.0.0/8 to any block in quick on rl0 from 5.0.0.0/8 to any block in quick on rl0 from 10.0.0.0/8 to any block in quick on rl0 from 23.0.0.0/8 to any block in quick on rl0 from 27.0.0.0/8 to any block in quick on rl0 from 31.0.0.0/8 to any block in quick on rl0 from 69.0.0.0/8 to any block in quick on rl0 from 70.0.0.0/7 to any block in quick on rl0 from 72.0.0.0/5 to any block in quick on rl0 from 82.0.0.0/7 to any block in quick on rl0 from 84.0.0.0/6 to any block in quick on rl0 from 88.0.0.0/5 to any block in quick on rl0 from 96.0.0.0/3 to any block in quick on rl0 from 127.0.0.0/8 to any block in quick on rl0 from 128.0.0.0/16 to any block in quick on rl0 from 128.66.0.0/16 to any block in quick on rl0 from 169.254.0.0/16 to any block in quick on rl0 from 172.16.0.0/12 to any block in quick on rl0 from 191.255.0.0/16 to any block in quick on rl0 from 192.0.0.0/19 to any block in quick on rl0 from 192.0.48.0/20 to any block in quick on rl0 from 192.0.64.0/18 to any block in quick on rl0 from 192.0.128.0/17 to any block in quick on rl0 from 192.168.0.0/16 to any block in quick on rl0 from 197.0.0.0/8 to any block in quick on rl0 from 201.0.0.0/8 to any block in quick on rl0 from 204.152.64.0/23 to any block in quick on rl0 from 219.0.0.0/8 to any block in quick on rl0 from 220.0.0.0/6 to any block in quick on rl0 from 224.0.0.0/3 to any
# rl0 - ICMP, 0 = Echo Reply, 3 = Arb Unreachable, 11 = TTL pass in quick on rl0 proto icmp all icmp-type 0 pass in quick on rl0 proto icmp all icmp-type 3 pass in quick on rl0 proto icmp all icmp-type 11
# rl0 - x.x.x.122 FTP, FTP-DATA
pass in quick on rl0 proto tcp from any to x.x.x.122 port = 21 flags S keep state
pass in quick on rl0 proto tcp from any to x.x.x.122 port > 49151 flags S keep state
pass out quick on rl0 proto tcp from x.x.x.122 port = 20 to any flags S keep state
# rl0 - x.x.x.122 SSH
pass in quick on rl0 proto tcp from any to x.x.x.122 port = 22 flags S keep state keep frags
# rl0 - x.x.x.122 SMTP
pass in quick on rl0 proto tcp from any to x.x.x.122 port = 25 flags S keep state keep frags
# rl0 - x.x.x.122 DNS
pass in quick on rl0 proto udp from any to x.x.x.122 port = 53 keep state keep frags
pass in quick on rl0 proto tcp from any to x.x.x.122 port = 53 flags S keep state keep frags
# rl0 - x.x.x.122 HTTP, HTTPS
pass in quick on rl0 proto tcp from any to x.x.x.122 port = 80 flags S keep state keep frags
pass in quick on rl0 proto tcp from any to x.x.x.122 port = 443 flags S keep state keep frags
# rl0 - x.x.x.122 POP3
pass in quick on rl0 proto tcp from any to x.x.x.122 port = 110 flags S keep state keep frags
# rl0 - x.x.x.122 NTP
pass in quick on rl0 proto udp from a.a.a.a to x.x.x.122 port = 123 keep state keep frags
pass in quick on rl0 proto udp from b.b.b.b to x.x.x.122 port = 123 keep state keep frags
pass in quick on rl0 proto udp from c.c.c.c to x.x.x.122 port = 123 keep state keep frags
# rl0 - x.x.x.122 MySQL
pass in quick on rl0 proto tcp from x.x.x.120/29 to x.x.x.122 port = 3306 flags S keep state keep frags
# rl0 - x.x.x.123 DNS
pass in quick on rl0 proto udp from x.x.x.120/29 to x.x.x.123 port = 53 keep state keep frags
# rl0 - x.x.x.123 Squid
pass in quick on rl0 proto tcp from x.x.x.120/29 to x.x.x.123 port = 3128 flags S keep state keep frags
pass in quick on rl0 proto tcp from y.y.0.0/16 to x.x.x.123 port = 3128 flags S keep state keep frags
pass in quick on rl0 proto tcp from z.z.0.0/16 to x.x.x.123 port = 3128 flags S keep state keep frags
pass in quick on rl0 proto tcp from x.x.x.120/29 to x.x.x.123 port = 3130 flags S keep state keep frags
# rl0 - x.x.x.123 PMX
pass in quick on rl0 proto tcp from x.x.x.122 to x.x.x.123 port = 10024 flags S keep state keep frags
pass in quick on rl0 proto tcp from any to x.x.x.123 port = 18080 flags S keep state keep frags
pass in quick on rl0 proto tcp from any to x.x.x.123 port = 28080 flags S keep state keep frags
# Le Grande Finale block in log quick on rl0 all
As always, looking forward to some help :)
-- Chris.
I love deadlines. I especially love the whooshing sound they make as they fly by..." - Douglas Adams, 'Hitchhiker's Guide to the Galaxy'
----- Original Message ----- From: <[EMAIL PROTECTED]>
To: "Chris Knipe" <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>
Sent: Monday, May 02, 2005 1:56 AM
Subject: RE: ipf out rule
When asking for help with firewall rules you have to post complete content of firewall rule set file because some previous rule may be dropping all packets. If this is your complete rule set them you are missing the mandatory L0 interface rule to pass quick all. rl0 must be Nic connected to public internet. x.x.x.120/29 is ip address range of pc's on private LAN behind firewall. This is not much of firewall with everything being allowed out. You could replace all of these meaning less statements with pass quick all from any to any
You really need to read firewall section of the official handbook. It has working examples of ipf.rules rule set along with detailed explanation of how to build firewall rules.
-----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Chris Knipe Sent: Sunday, May 01, 2005 6:56 PM To: [EMAIL PROTECTED] Subject: ipf out rule
Hi,
Can anyone take a minute to just explain to me why ipf is blocking this...
ipf.rules: # rl0 - Outgoing pass out quick on rl0 proto tcp from x.x.x.120/29 to any flags S keep state keep frags pass out quick on rl0 proto udp from x.x.x.120/29 to any keep state keep frags pass out quick on rl0 proto icmp from x.x.x.120/29 to any keep state keep frags block out log quick on rl0 all
ipftest: opening rule file "ipf.new" in on rl0 tcp 196.25.1.1,2210 x.x.x.122,22 input: in on rl0 tcp 196.25.1.1,2210 x.x.x.122,22 pass ip 40(20) 6 196.25.1.1,2210 > x.x.x.122,22 -------------- out on rl0 tcp x.x.x.122,22 196.25.1.1,2210 input: out on rl0 tcp x.x.x.122,22 196.25.1.1,2210 block ip 40(20) 6 x.x.x.122,22 > 196.25.1.1,2210
Thanks.
-- Chris.
I love deadlines. I especially love the whooshing sound they make as they fly by..." - Douglas Adams, 'Hitchhiker's Guide to the Galaxy'
_______________________________________________ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
_______________________________________________ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
