#State your problem very clearly.I am trying to get my ipflter-based firewall
to allow ident access ona pc on my private network. I can telnet to port 113
from a remotehost, but ident cannot reply back even though my incoming rule
haskeep state defined. I've read docs, man pages, mailing list archives,and
google'd for a week. I've tried everything I've seen. I'm not anetwork guru
by any means.
#Give all error messages.I don't really have any error messages, other than the
fact that whenI login to any irc server my ident does not work. I was
previouslyusing an exclusive ipfw-based firewall. I recently switched
toipfilter and am trying to get an inclusive ruleset worked up. I havemost
everything working at this point, except ident.
#Give all information#Include as much information as possible. Start with:#
uname -a
> uname -aFreeBSD gateway.localdomain 6.0-STABLE FreeBSD 6.0-STABLE #4: Fri Dec
> 2 18:50:10 CST 2005 [EMAIL PROTECTED]:/usr/src/sys/i386/compile/MYKERNEL
> i386
In addition here is my MYKERNAL config:
> cat MYKERNELmachine i386cpu I586_CPUident
> MYKERNEL
options SCHED_4BSD # 4BSD scheduleroptions
PREEMPTION # Enable kernel thread preemptionoptions INET
# InterNETworkingoptions FFS #
Berkeley Fast Filesystemoptions SOFTUPDATES # Enable FFS
soft updates supportoptions PROCFS # Process
filesystem (requires PSEUDOFS)options PSEUDOFS #
Pseudo-filesystem frameworkoptions COMPAT_43 # Compatible
with BSD 4.3 [KEEP THIS!]options COMPAT_FREEBSD4 # Compatible
with FreeBSD4options COMPAT_FREEBSD5 # Compatible with
FreeBSD5options KTRACE # ktrace(1) supportoptions
SYSVSHM # SYSV-style shared memoryoptions SYSVMSG
# SYSV-style message queuesoptions SYSVSEM
# SYSV-style semaphoresoptions _KPOSIX_PRIORITY_SCHEDULING # POSI!
X P1003_1B real-timeextensionsoptions KBD_INSTALL_CDEV #
install a CDEV entry in /devoptions AHC_REG_PRETTY_PRINT # Print
register bitfields in debug # output.
Adds ~128k to driver.options AHD_REG_PRETTY_PRINT # Print register
bitfields in debug # output. Adds ~215k
to driver.options ADAPTIVE_GIANT # Giant mutex is adaptive.
device apic # I/O APICdevice eisadevice
pcidevice fdcdevice atadevice atadisk
# ATA disk drives
options ATA_STATIC_ID # Static device numbering
device atkbdc # AT keyboard controllerdevice atkbd
# AT keyboarddevice psm # PS/2 mousedevice
vga # VGA video card driverdevice splash #
Splash screen and screen saver supportdevice scdevice sio
# 8250, 16[45]50 based serial portsdevice miibus #
MII bus supportdevice dc # DEC/Intel 21143 and various
workalikesdevice tl # Texas Instruments ThunderLANdevice
loop # Network loopbackdevice random #
Entropy devicedevice ether # Ethernet supportdevice
pty # Pseudo-ttys (telnet etc)device bpf #
Berkeley packet filter
options IPFIREWALLoptions IPFIREWALL_VERBOSEoptions
IPFIREWALL_VERBOSE_LIMIT=5#options IPFIREWALL_DEFAULT_TO_ACCEPToptions
IPDIVERToptions DUMMYNEToptions HZ=1000
options IPFILTERoptions IPFILTER_LOGoptions IPFILTER_DEFAULT_BLOCK
# isainfo -vk
> isainfo -vk-su: isainfo: command not found
# ifconfig -a
> ifconfig -adc0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
> options=8<VLAN_MTU> inet 24.183.200.193 netmask 0xfffffc00
> broadcast 255.255.255.255 ether 00:a0:cc:29:2c:8e media:
> Ethernet autoselect (100baseTX <full-duplex>) status: activetl0:
> flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 inet
> 10.0.0.1 netmask 0xff000000 broadcast 10.255.255.255 ether
> 00:80:5f:83:36:ff media: Ethernet autoselect (100baseTX <full-duplex>)
> status: activelo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
> inet 127.0.0.1 netmask 0xff000000
# netstat -rn
> netstat -rnRouting tables
Internet:Destination Gateway Flags Refs Use Netif
Expiredefault 24.183.200.1 UGS 0 150194 dc010
link#2 UC 0 0 tl010.0.0.2
00:a0:cc:27:82:fc UHLW 1 9059 tl010.0.0.3
00:e0:81:30:ae:45 UHLW 1 12959 tl010.0.0.4
00:50:fc:9c:bb:47 UHLW 1 2 tl024.183.200/22 link#1
UC 0 0 dc024.183.200.1 00:05:00:e3:dc:7a UHLW
2 0 dc0127.0.0.1 127.0.0.1 UH 0
66 lo0
# netstat -i
> netstat -iName Mtu Network Address Ipkts Ierrs Opkts
> Oerrs Colldc0 1500 <Link#1> 00:a0:cc:29:2c:8e 5369389 8
> 119212 0 0dc0 1500 24.183.200/22 24-183-200-193.dh 29352 -
> 738 - -tl0 1500 <Link#2> 00:80:5f:83:36:ff 127064 0
> 131938 0 0tl0 1500 10 gateway 4515
> - 6727 - -lo0 16384 <Link#3> 66
> 0 66 0 0lo0 16384 your-net localhost 66
> - 66 - -
# netstat -s -P ip
> netstat -s -P ipnetstat: illegal option -- P
> netstat -s iptcp: 4370 packets sent 4294 data packets
> (513446 bytes) 0 data packets (0 bytes) retransmitted
> 0 data packets unnecessarily retransmitted 0 resends
> initiated by MTU discovery 62 ack-only packets (26 delayed)
> 0 URG only packets 0 window probe packets
> 0 window update packets 14 control packets 32172
> packets received 4017 acks (for 513461 bytes) 5
> duplicate acks 0 acks for unsent data 975
> packets (55076 bytes) received in-sequence 0 completely
> duplicate packets (0 bytes) 0 old duplicate packets
> 0 packets with some dup. data (0 bytes duped) 0
> out-of-order packets (0 bytes) 0 packets (0 bytes) of data
> after window 0 window probes 0 window update
> packets !
0 packets received after close 0 discarded for bad
checksums 0 discarded for bad header offset fields
0 discarded because packet too short 5 connection requests 6
connection accepts 0 bad connection attempts 0 listen queue
overflows 0 ignored RSTs in the windows 11 connections
established (including accepts) 9 connections closed (including 0 drops)
5 connections updated cached RTT on close 5
connections updated cached RTT variance on close 0 connections
updated cached ssthresh on close 0 embryonic connections dropped
4017 segments updated rtt (of 3999 attempts) 0 retransmit timeouts
0 connections dropped by rexmit timeout 0 persist timeouts
0 connections dropped by persist timeout 0 keepalive timeouts
0 keepalive probes sent 0 conne!
ctions dropped by keepalive 719 correct ACK header pred!
ictions
585 correct data packet header predictions 11 syncache entries
added 10 retransmitted 9 dupsyn 0
dropped 6 completed 0 bucket overflow
0 cache overflow 2 reset 3 stale
0 aborted 0 badack 0 unreach 0
zone failures 0 cookies sent 0 cookies received 0 SACK
recovery episodes 0 segment rexmits in SACK recovery episodes 0
byte rexmits in SACK recovery episodes 0 SACK options (SACK blocks)
received 0 SACK options (SACK blocks) sent 0 SACK scoreboard
overflowudp: 1773 datagrams received 0 with incomplete header
0 with bad data length field 0 with bad checksum 264 with no
checksum 1029 dropped due to no socket 6 broadcast/multicast
datagrams dropped due to no socket 0 dropped due to !
full socket buffers 0 not for hashed pcb 738 delivered
745 datagrams outputip: 302638 total packets received 0 bad
header checksums 0 with size smaller than minimum 0 with data
size < data length 0 with ip length > max ip packet size 0 with
header length < data size 0 with data length < header length 0
with bad options 0 with incorrect version number 0 fragments
received 0 fragments dropped (dup or out of space) 0 fragments
dropped after timeout 0 packets reassembled ok 33994 packets for
this host 7 packets for unknown/unsupported protocol 242208
packets forwarded (0 packets fast forwarded) 2461 packets not
forwardable 0 packets received for unknown multicast group 0
redirects sent 36204 packets sent from this host 0 packets sent
with fabricated ip header 0 output packets dropped due to no bufs, etc.
!
0 output packets discarded due to no route 0 outp!
ut datag
rams fragmented 0 fragments created 0 datagrams that can't be
fragmented 0 tunneling packets that can't find gif 0 datagrams
with bad address in headericmp: 3490 calls to icmp_error 1 error
not generated in response to an icmp message Output histogram:
echo reply: 46 destination unreachable: 3489 0
messages with bad code fields 0 messages < minimum length 0 bad
checksums 0 messages with bad length 0 multicast echo requests
ignored 0 multicast timestamp requests ignored Input histogram:
destination unreachable: 6 echo: 46
time exceeded: 1 46 message responses generated 0 invalid return
addresses 0 no return routes ICMP address mask responses are
disabledigmp: 0 messages received 0 messages received with too
few bytes 0 messages received with bad checksum !
0 membership queries received 0 membership queries received with
invalid field(s) 0 membership reports received 0 membership
reports received with invalid field(s) 0 membership reports received for
groups to which we belong 0 membership reports sentWarning:
sysctl(net.inet6.ip6.rip6stats): No such file or directory
# ipf -V
> ipf -Vipf: IP Filter: v4.1.8 (416)Kernel: IP Filter: v4.1.8Running: yesLog
> Flags: 0 = none setDefault: pass all, Logging: availableActive list: 0Feature
> mask: 0xa
# ipfstat
> ipfstatbad packets: in 0 out 0 IPv6 packets: in 0 out
> 0 input packets: blocked 23784 passed 278896 nomatch 27632counted 0
> short 0output packets: blocked 31074 passed 250023 nomatch 1 counted
> 0 short 0 input packets logged: blocked 401 passed 0output packets logged:
> blocked 0 passed 0 packets logged: input 0 output 0 log failures:
> input 0 output 0fragment state(in): kept 0 lost 0 not fragmented
> 0fragment state(out): kept 0 lost 0 not fragmented 0packet state(in):
> kept 2311 lost 0packet state(out): kept 4819 lost
> 31074ICMP replies: 0 TCP RSTs sent: 0Invalid source(in): 0Result
> cache hits(in): 15839 (out): 4137IN Pullups succeeded: 26 failed:
> 0OUT Pullups succeeded: 3508 failed: 0Fastroute successes: 0
> failures: 0TCP cksum fails(in): 0 (out): 0IPF Ticks:
> 179980Packet log flags set: (0) none
# ipfstat -io
> ipfstat -iopass out quick on tl0 allpass out quick on lo0 allpass out quick
> on dc0 proto tcp from any to any keep statepass out quick on dc0 proto udp
> from any to any keep statepass out quick on dc0 proto icmp from any to any
> keep statepass out quick on dc0 proto tcp from any to 24.159.64.23/32 port
> =domain flags S/FSRPAU keep statepass out quick on dc0 proto udp from any to
> 24.159.64.23/32 port =domain keep statepass out quick on dc0 proto tcp from
> any to 24.159.64.21/32 port =domain flags S/FSRPAU keep statepass out quick
> on dc0 proto udp from any to 24.159.64.21/32 port =domain keep statepass out
> quick on dc0 proto tcp from any to 24.159.64.20/32 port =domain flags
> S/FSRPAU keep statepass out quick on dc0 proto udp from any to
> 24.159.64.20/32 port =domain keep statepass out quick on dc0 proto udp from
> any to any port = bootps keep statepass out quick on dc0 proto tcp from any
> to any port = http flagsS/FSRPAU keep statepass out quick on dc0 proto tcp
> from any to any port!
= https flagsS/FSRPAU keep statepass out quick on dc0 proto tcp from any to
any port = imap flagsS/FSRPAU keep statepass out quick on dc0 proto tcp from
any to any port = pop3 flagsS/FSRPAU keep statepass out quick on dc0 proto tcp
from any to any port = smtp flagsS/FSRPAU keep statepass out quick on dc0 proto
tcp from any to any port = time flagsS/FSRPAU keep statepass out quick on dc0
proto tcp from any to any port = nntp flagsS/FSRPAU keep statepass out quick
proto tcp from any port > 1023 to any port = ftp flagsS/FSRPAU keep statepass
out quick proto tcp from any port > 1023 to any port > 1023 flagsS/FSRPAU keep
statepass out quick on dc0 proto tcp from any to any port = ssh flagsS/FSRPAU
keep statepass out quick on dc0 proto tcp from any to any port = telnet
flagsS/FSRPAU keep statepass out quick on dc0 proto tcp from any to any port =
cvsup flagsS/FSRPAU keep statepass out quick on dc0 proto tcp from any to any
port = ircd flagsS/FSRPAU keep statepass out quick on dc!
0 proto icmp from any to any icmp-type echo keep statepass out!
quick o
n dc0 proto icmp from any to any icmp-type echorep keep statepass out quick on
dc0 proto icmp from any to any icmp-type timex keep statepass out quick on dc0
proto tcp from any to any port = nicname flagsS/FSRPAU keep stateblock out log
first quick on dc0 allpass in quick on tl0 allpass in quick on lo0 allblock in
quick on dc0 from 192.168.0.0/16 to anyblock in quick on dc0 from 172.16.0.0/12
to anyblock in quick on dc0 from 10.0.0.0/8 to anyblock in quick on dc0 from
127.0.0.0/8 to anyblock in quick on dc0 from 0.0.0.0/8 to anyblock in quick on
dc0 from 169.254.0.0/16 to anyblock in quick on dc0 from 192.0.2.0/24 to
anyblock in quick on dc0 from 204.152.64.0/23 to anyblock in quick on dc0 from
224.0.0.0/3 to anyblock in log first quick on dc0 from any to any with
fragblock in log first quick on dc0 proto tcp from any to any with shortblock
in log first quick on dc0 from any to any with opt lsrrblock in log first quick
on dc0 from any to any with opt ssrrblock in log first q!
uick on dc0 proto tcp from any to any flags FPU/FSRPAUblock in log first quick
on dc0 from any to any with ipoptsblock in quick on dc0 proto icmp from any to
any icmp-type echoblock in log first quick on dc0 proto tcp/udp from any to any
port = netbios-nsblock in log first quick on dc0 proto tcp/udp from any to any
port = netbios-dgmblock in log first quick on dc0 proto tcp/udp from any to any
port = netbios-ssnblock in log first quick on dc0 proto tcp/udp from any to any
port = hosts2-nspass in quick on dc0 proto udp from 10.160.0.1/32 to any port =
bootpckeep statepass in quick on dc0 proto tcp from any to any port = http
flagsS/FSRPAU keep statepass in quick on dc0 proto tcp from any to any port =
auth flagsS/FSRPAU keep statepass in quick on dc0 proto tcp from any to any
port = 2217 flagsS/FSRPAU keep statepass in quick on dc0 proto tcp from
216.19.216.16/32 to any port =dec-notes flags S/FSRPAU keep statepass in quick
on dc0 proto tcp from 216.19.216.16/32 to any port !
=search flags S/FSRPAU keep statepass in quick on dc0 proto tc!
p from 2
16.19.216.16/32 to any port =raid-cc flags S/FSRPAU keep statepass in quick on
dc0 proto tcp from 216.19.216.16/32 to any port =ttyinfo flags S/FSRPAU keep
statepass in quick on dc0 proto tcp from 216.19.216.16/32 to any port =raid-am
flags S/FSRPAU keep statepass in quick on dc0 proto tcp from 216.19.216.16/32
to any port =troff flags S/FSRPAU keep statepass in quick on dc0 proto tcp from
216.19.216.16/32 to any port =cypress flags S/FSRPAU keep statepass in quick on
dc0 proto tcp from 216.19.216.16/32 to any port =bootserver flags S/FSRPAU keep
statepass in quick on dc0 proto tcp from 216.19.216.16/32 to any port
=cypress-stat flags S/FSRPAU keep statepass in quick on dc0 proto tcp from
216.19.216.16/32 to any port =terminaldb flags S/FSRPAU keep statepass in quick
on dc0 proto tcp from 216.19.216.16/32 to any port =whosockami flags S/FSRPAU
keep statepass in quick on dc0 proto tcp from 216.19.216.16/32 to any port
=xinupageserver flags S/FSRPAU keep statepass in quick on !
dc0 proto tcp from 67.15.155.13/32 to any port =dec-notes flags S/FSRPAU keep
statepass in quick on dc0 proto tcp from 67.15.155.13/32 to any port =search
flags S/FSRPAU keep statepass in quick on dc0 proto tcp from 67.15.155.13/32 to
any port =raid-cc flags S/FSRPAU keep statepass in quick on dc0 proto tcp from
67.15.155.13/32 to any port =ttyinfo flags S/FSRPAU keep statepass in quick on
dc0 proto tcp from 67.15.155.13/32 to any port =raid-am flags S/FSRPAU keep
statepass in quick on dc0 proto tcp from 67.15.155.13/32 to any port =troff
flags S/FSRPAU keep statepass in quick on dc0 proto tcp from 67.15.155.13/32 to
any port =cypress flags S/FSRPAU keep statepass in quick on dc0 proto tcp from
67.15.155.13/32 to any port =bootserver flags S/FSRPAU keep statepass in quick
on dc0 proto tcp from 67.15.155.13/32 to any port =cypress-stat flags S/FSRPAU
keep statepass in quick on dc0 proto tcp from 67.15.155.13/32 to any port
=terminaldb flags S/FSRPAU keep statepass in quick o!
n dc0 proto tcp from 67.15.155.13/32 to any port =whosockami f!
lags S/F
SRPAU keep statepass in quick on dc0 proto tcp from 67.15.155.13/32 to any port
=xinupageserver flags S/FSRPAU keep stateblock in log first quick on dc0 all
# ipnat -slv
I doubt you really want to see all of this, it was very long. Here isa good
chunck of it:
> ipnat -slvmapped in 124643 out 119264added 7800 expired 0no
> memory 0 bad nat 0inuse 452rules 16wilds 0table 0xbfbfeb7c
> list 0xc1867000List of active MAP/Redirect filters:rdr dc0 0.0.0.0/0 port 80
> -> 10.0.0.2 port 80 tcprdr dc0 0.0.0.0/0 port 113 -> 10.0.0.2 port 113 tcprdr
> dc0 0.0.0.0/0 port 2010 -> 10.0.0.2 port 2010 tcprdr dc0 0.0.0.0/0 port 2011
> -> 10.0.0.2 port 2011 tcprdr dc0 0.0.0.0/0 port 2012 -> 10.0.0.2 port 2012
> tcprdr dc0 0.0.0.0/0 port 2013 -> 10.0.0.2 port 2013 tcprdr dc0 0.0.0.0/0
> port 2014 -> 10.0.0.2 port 2014 tcprdr dc0 0.0.0.0/0 port 2015 -> 10.0.0.2
> port 2015 tcprdr dc0 0.0.0.0/0 port 2016 -> 10.0.0.2 port 2016 tcprdr dc0
> 0.0.0.0/0 port 2017 -> 10.0.0.2 port 2017 tcprdr dc0 0.0.0.0/0 port 2018 ->
> 10.0.0.2 port 2018 tcprdr dc0 0.0.0.0/0 port 2019 -> 10.0.0.2 port 2019
> tcprdr dc0 0.0.0.0/0 port 2020 -> 10.0.0.2 port 2020 tcprdr dc0 0.0.0.0/0
> port 3333 -> 10.0.0.2 port 3333 tcpmap dc0 0.0.0.0/0 -> 0.0.0.0/32 portmap
> tcp/udp!
automap dc0 0.0.0.0/0 -> 0.0.0.0/32
List of active sessions:MAP 24.183.200.193 54016 <- -> 24.183.200.193 55040
[24.159.64.23 53] age 181244 use 0 sumd 0x400/0x400 pr 17 bkt 735/739
flags 2 ifp dc0,dc0 bytes 163/74 pkts 1/1 ipsumd 0MAP 24.183.200.193
53567 <- -> 24.183.200.193 54591 [24.159.64.23 53] age 181239 use 0
sumd 0x400/0x400 pr 17 bkt 485/489 flags 2 ifp dc0,dc0 bytes 230/73 pkts
1/1 ipsumd 0MAP 24.183.200.193 60321 <- -> 24.183.200.193 61345 [24.159.64.23
53] age 181239 use 0 sumd 0x400/0x400 pr 17 bkt 1035/1039 flags 2
ifp dc0,dc0 bytes 204/71 pkts 1/1 ipsumd 0MAP 24.183.200.193 60734 <- ->
24.183.200.193 61758 [24.159.64.23 53] age 181237 use 0 sumd
0x400/0x400 pr 17 bkt 257/261 flags 2 ifp dc0,dc0 bytes 230/73 pkts 1/1
ipsumd 0MAP 24.183.200.193 59577 <- -> 24.183.200.193 60601 [24.159.64.23 53]
age 181237 use 0 sumd 0x400/0x400 pr 17 bkt 1035/1039 flags 2 ifp
dc0,dc0 bytes 201/72 pkts 1/1 ipsumd 0MAP 24.183.200.193 5!
4448 <- -> 24.183.200.193 55472 [24.159.64.23 53] age 181237 use 0
sumd 0x400/0x400 pr 17 bkt 758/762 flags 2 ifp dc0,dc0 bytes 230/73 pkts
1/1 ipsumd 0MAP 24.183.200.193 51915 <- -> 24.183.200.193 52939 [24.159.64.23
53] age 181237 use 0 sumd 0x400/0x400 pr 17 bkt 1519/1523 flags 2
ifp dc0,dc0 bytes 163/74 pkts 1/1 ipsumd 0
And here are my rules:
> cat /etc/ipf.rules
############################################ no restrictions on inside lan
interface ############################################pass out quick on tl0
allpass in quick on tl0 all
########################################## no restrictions on loopback
interface ##########################################pass in quick on lo0
allpass out quick on lo0 all
##################### keep state rules #####################pass out quick on
dc0 proto tcp all keep statepass out quick on dc0 proto udp all keep statepass
out quick on dc0 proto icmp all keep state
##################### outbound section #####################
######################################### allow out access to isp's dns server
#########################################pass out quick on dc0 proto tcp from
any to 24.159.64.23 port = 53flags S keep statepass out quick on dc0 proto udp
from any to 24.159.64.23 port = 53 keep statepass out quick on dc0 proto tcp
from any to 24.159.64.21 port = 53flags S keep statepass out quick on dc0 proto
udp from any to 24.159.64.21 port = 53 keep statepass out quick on dc0 proto
tcp from any to 24.159.64.20 port = 53flags S keep statepass out quick on dc0
proto udp from any to 24.159.64.20 port = 53 keep state
########################################## allow out access to isp's dhcp
server ##########################################pass out quick on dc0 proto
udp from any to any port = 67 keep state
################## allow out www ##################pass out quick on dc0 proto
tcp from any to any port = 80 flags S keep state
######################### allow out secure www #########################pass
out quick on dc0 proto tcp from any to any port = 443 flags S keep state
#################### allow out email ####################pass out quick on dc0
proto tcp from any to any port = 143 flags S keep statepass out quick on dc0
proto tcp from any to any port = 110 flags S keep statepass out quick on dc0
proto tcp from any to any port = 25 flags S keep state
################## allow out ntp ##################pass out quick on dc0 proto
tcp from any to any port = 37 flags S keep state
################### allow out nntp ###################pass out quick on dc0
proto tcp from any to any port = 119 flags S keep state
########################## allow out passive ftp ##########################pass
out quick proto tcp from any port > 1023 to any port = 21 flags Skeep statepass
out quick proto tcp from any port > 1023 to any port > 1023 flagsS keep state
################## allow out ssh ##################pass out quick on dc0 proto
tcp from any to any port = 22 flags S keep state
##################### allow out telnet #####################pass out quick on
dc0 proto tcp from any to any port = 23 flags S keep state
#################### allow out cvsup ####################pass out quick on dc0
proto tcp from any to any port = 5999 flags S keep state
################## allow out irc ##################pass out quick on dc0 proto
tcp from any to any port = 6667 flags S keep state
################### allow out ping ###################pass out quick on dc0
proto icmp from any to any icmp-type 8 keep statepass out quick on dc0 proto
icmp from any to any icmp-type 0 keep statepass out quick on dc0 proto icmp
from any to any icmp-type 11 keep state
#################### allow out whois ####################pass out quick on dc0
proto tcp from any to any port = 43 flags S keep state
#################################################### block and log everything
else trying to get out
####################################################block out log first quick
on dc0 all
######################### end outbound section #########################
#################### inbound section ####################
############################################### block all inbound non-routable
or reserved ###############################################block in quick on
dc0 from 192.168.0.0/16 to anyblock in quick on dc0 from 172.16.0.0/12 to
anyblock in quick on dc0 from 10.0.0.0/8 to anyblock in quick on dc0 from
127.0.0.0/8 to anyblock in quick on dc0 from 0.0.0.0/8 to anyblock in quick on
dc0 from 169.254.0.0/16 to anyblock in quick on dc0 from 192.0.2.0/24 to
anyblock in quick on dc0 from 204.152.64.0/23 to anyblock in quick on dc0 from
224.0.0.0/3 to any
################ block frags ################block in log first quick on dc0
all with frags
############################ block short tcp packets
############################block in log first quick on dc0 proto tcp all with
short
################################ block source routed packets
################################block in log first quick on dc0 all with opt
lsrrblock in log first quick on dc0 all with opt ssrr
############################################### block and log nmap OS
fingerprint attempts ###############################################block in
log first quick on dc0 proto tcp from any to any flags FUP
######################################## block anything with special options
########################################block in log first quick on dc0 all
with ipopts
####################### block public pings #######################block in
quick on dc0 proto icmp all icmp-type 8
################## block netbios ##################block in log first quick on
dc0 proto tcp/udp from any to any port = netbios-nsblock in log first quick on
dc0 proto tcp/udp from any to any port = netbios-dgmblock in log first quick on
dc0 proto tcp/udp from any to any port = netbios-ssn
######################################## block ms windows hosts2 name server
########################################block in log first quick on dc0 proto
tcp/udp from any to any port = hosts2-ns
############################### allow in isp's dhcp server
###############################pass in quick on dc0 proto udp from 10.160.0.1
to any port = 68 keep state
################# allow in www #################pass in quick on dc0 proto tcp
from any to any port = 80 flags S keep state
################### allow in ident ###################pass in quick on dc0
proto tcp from any to any port = 113 flags S keep state
############################## allow in ssh on port 2217
##############################pass in quick on dc0 proto tcp from any to any
port = 2217 flags S keep state
############################################### allow sheeba and past0r to
connect to jane ###############################################pass in quick on
dc0 proto tcp from 216.19.216.16 to any port = 3333flags S keep statepass in
quick on dc0 proto tcp from 216.19.216.16 to any port = 2010flags S keep
statepass in quick on dc0 proto tcp from 216.19.216.16 to any port = 2011flags
S keep statepass in quick on dc0 proto tcp from 216.19.216.16 to any port =
2012flags S keep statepass in quick on dc0 proto tcp from 216.19.216.16 to any
port = 2013flags S keep statepass in quick on dc0 proto tcp from 216.19.216.16
to any port = 2014flags S keep statepass in quick on dc0 proto tcp from
216.19.216.16 to any port = 2015flags S keep statepass in quick on dc0 proto
tcp from 216.19.216.16 to any port = 2016flags S keep statepass in quick on dc0
proto tcp from 216.19.216.16 to any port = 2017flags S keep statepass in quick
on dc0 proto tcp from 216.19.216.16 to any port = 2018flags S k!
eep statepass in quick on dc0 proto tcp from 216.19.216.16 to any port =
2019flags S keep statepass in quick on dc0 proto tcp from 216.19.216.16 to any
port = 2020flags S keep statepass in quick on dc0 proto tcp from 67.15.155.13
to any port = 3333flags S keep statepass in quick on dc0 proto tcp from
67.15.155.13 to any port = 2010flags S keep statepass in quick on dc0 proto tcp
from 67.15.155.13 to any port = 2011flags S keep statepass in quick on dc0
proto tcp from 67.15.155.13 to any port = 2012flags S keep statepass in quick
on dc0 proto tcp from 67.15.155.13 to any port = 2013flags S keep statepass in
quick on dc0 proto tcp from 67.15.155.13 to any port = 2014flags S keep
statepass in quick on dc0 proto tcp from 67.15.155.13 to any port = 2015flags S
keep statepass in quick on dc0 proto tcp from 67.15.155.13 to any port =
2016flags S keep statepass in quick on dc0 proto tcp from 67.15.155.13 to any
port = 2017flags S keep statepass in quick on dc0 proto tcp from 67.15.!
155.13 to any port = 2018flags S keep statepass in quick on dc!
0 proto
tcp from 67.15.155.13 to any port = 2019flags S keep statepass in quick on dc0
proto tcp from 67.15.155.13 to any port = 2020flags S keep state
################################## block and log everything else
##################################block in log first quick on dc0 all
######################## end inbound section ########################
> cat /etc/ipnat.rules######################### redirects inside lan
> #########################rdr dc0 0.0.0.0/0 port 80 -> 10.0.0.2 port 80rdr
> dc0 0.0.0.0/0 port 113 -> 10.0.0.2 port 113rdr dc0 0.0.0.0/0 port 2010 ->
> 10.0.0.2 port 2010rdr dc0 0.0.0.0/0 port 2011 -> 10.0.0.2 port 2011rdr dc0
> 0.0.0.0/0 port 2012 -> 10.0.0.2 port 2012rdr dc0 0.0.0.0/0 port 2013 ->
> 10.0.0.2 port 2013rdr dc0 0.0.0.0/0 port 2014 -> 10.0.0.2 port 2014rdr dc0
> 0.0.0.0/0 port 2015 -> 10.0.0.2 port 2015rdr dc0 0.0.0.0/0 port 2016 ->
> 10.0.0.2 port 2016rdr dc0 0.0.0.0/0 port 2017 -> 10.0.0.2 port 2017rdr dc0
> 0.0.0.0/0 port 2018 -> 10.0.0.2 port 2018rdr dc0 0.0.0.0/0 port 2019 ->
> 10.0.0.2 port 2019rdr dc0 0.0.0.0/0 port 2020 -> 10.0.0.2 port 2020rdr dc0
> 0.0.0.0/0 port 3333 -> 10.0.0.2 port 3333
############## basic nat ##############map dc0 0/0 -> 0/32 portmap tcp/udp
automap dc0 0/0 -> 0/32
Any help you could provide would be greatly appreciated.
Thanks,
--Greg DonaldZend Certified EngineerMySQL Core Certificationhttp://destiney.com/
