Hi, For technical (and especially customer) reasons, i setted up a firewalling solution based on FreeBSD 4.10 and ipf.
The box is a Intel P4 2.66gigahertz with 2 fxp cards. The version of ipfilter is : IP Filter: v3.4.31 initialized. Default = pass all, Logging = enabled The ip of the DMZ iface is : fxp0 a.b.c.1 255.255.255.0 The ip of the public iface is : fxp1 e.f.g.12 255.255.255.0 The firewall is a router (but not a NAT router). The router is fonctionnal, everything works without ipf. The problem is : when I launch ipf, the firewall works from "outside", packet that must be filtered is filtered etc ... but from the DMZ, I can't have access to the internet (web, mail etc ...). For example, when a server from the dmz is trying to send a mail, packets go out, but don't come back. Here is what ipmon give when the firewall is up : 10/08/2004 10:56:06.719950 fxp1 @0:428 b 24.249.80.53,25 -> e.f.g.2,1182 PR tcp len 20 134 -AP IN I thought it was solved by using word "keep state", but it's not ... Can you help me please ? Here is my ipf.rules file : pass out on fxp1 proto tcp from any to any keep state pass out on fxp1 proto udp from any to any keep state pass out on fxp1 proto icmp from any to any keep state pass in quick on fxp1 proto udp from any to e.f.g.2 port = 53 pass in quick on fxp1 proto tcp from any to e.f.g.2 port = 53 pass in quick on fxp1 proto tcp from e.f.g.0/24 to e.f.g.2 port = 5802 pass in quick on fxp1 proto tcp from e.f.g.2/24 to e.f.g.2 port = 5902 pass in quick on fxp1 proto tcp from e.f.g.0/24 to e.f.g.2 port = 3306 pass in quick on fxp1 proto tcp from e.f.g.0/24 to e.f.g.2 port = 80 pass in quick on fxp1 proto icmp from any to e.f.g.2 pass in quick on fxp1 from any to e.f.g.3 pass in quick on fxp1 from any to e.f.g.4 pass in quick on fxp1 from any to e.f.g.5 pass in quick on fxp1 from any to e.f.g.6 block in log on fxp1 from any to any Thanx, -- fz
