Hello,
>Now reading this - maybe you left out the default action at the top of >the ruleset? - I only see pass rules and unless you compiled your kernel >with default block, then default is pass, leaving your host with no >effective firewall at all. > >Should suffice just to flush the rules, unless you compile your kernel >with default block. Whatever default is, it is always a good idea for >clarity to include a catch all rule. > >Also, make sure to add "log" and start ipmon, when something falls >through or is blocked for other reasons, you have a log entry stating >which rule blocked so you can debug your ruleset. - I see I left it out >in the default rules I suggested, these rules should go at top of the file: > >block out log all >block in log all > >Whatever falls through your ruleset will be logged so you can analyse it. > >When you flush your rulesets, the state table is not flushed, so you >shouldn't loose your connection. Also, I recommend you reading rules >into the inactive ruletable first. Then swap. This way you make sure >your rules does not contain typos and you don't leave your firewall/host >vulnerable. > ># ipf -IFa && ipf -I -f <rulefile> && ipf -s && sleep 60 && ipf -s > >lets you test the new ruleset 60 seconds, should you loose connection. >If things work then > ># ipf -Ifa && ipf -I -f <rulefile> && ipf -s && ipf -IFa I've resolved the problem with individual pass out rules for tcp, udp and icmp protocols. I don't know why "pass out all" was not okay, but it wasn't. Thus my ruleset starts with these lines: pass out quick on re0 proto tcp from any to any keep state keep frags pass out quick on re0 proto udp from any to any keep state keep frags pass out quick on re0 proto icmp from any to any keep state keep frags Anyway, thanks for your ideas, which were very useful for me. I'm using now the catch-all rules as You suggested. You also mentioned, there can be some problems with the ftp server. Could You tell me please, what You meant? Ftp hasn't been running yet, so I can't test it, but there will also be an ftp soon. Thanks, Gábor Kövesdán _______________________________________________ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
