On 12/9/05, Phil Dibowitz <[EMAIL PROTECTED]> wrote:
> As others have pointed out, your mail was formated poorly...
I apologize for the formatting. I post to a couple of other list
serves almost daily and have never had a formatting problem before
now. I'm not seeing the issue on my end, all the line breaks appear
fine. Looking at my gmail settings I discovered I can change from
UTF-8 to 'default formatting', whatever that is. Does this second
attempt appear to be formated any better?
#State your problem very clearly.
I am trying to get my ipflter-based firewall to allow ident access on
a pc on my private network. I can telnet to port 113 from a remote
host, but ident cannot reply back even though my incoming rule has
keep state defined. I've read docs, man pages, mailing list archives,
and google'd for a week. I've tried everything I've seen. I'm not a
network guru by any means.
#Give all error messages.
I don't really have any error messages, other than the fact that when
I login to any irc server my ident does not work. I was previously
using an exclusive ipfw-based firewall. I recently switched to
ipfilter and am trying to get an inclusive ruleset worked up. I have
most everything working at this point, except ident.
#Give all information
#Include as much information as possible. Start with:
# uname -a
> uname -a
FreeBSD gateway.localdomain 6.0-STABLE FreeBSD 6.0-STABLE #4: Fri Dec
2 18:50:10 CST 2005
[EMAIL PROTECTED]:/usr/src/sys/i386/compile/MYKERNEL i386
In addition here is my MYKERNAL config:
> cat MYKERNEL
machine i386
cpu I586_CPU
ident MYKERNEL
options SCHED_4BSD # 4BSD scheduler
options PREEMPTION # Enable kernel thread preemption
options INET # InterNETworking
options FFS # Berkeley Fast Filesystem
options SOFTUPDATES # Enable FFS soft updates support
options PROCFS # Process filesystem (requires PSEUDOFS)
options PSEUDOFS # Pseudo-filesystem framework
options COMPAT_43 # Compatible with BSD 4.3 [KEEP THIS!]
options COMPAT_FREEBSD4 # Compatible with FreeBSD4
options COMPAT_FREEBSD5 # Compatible with FreeBSD5
options KTRACE # ktrace(1) support
options SYSVSHM # SYSV-style shared memory
options SYSVMSG # SYSV-style message queues
options SYSVSEM # SYSV-style semaphores
options _KPOSIX_PRIORITY_SCHEDULING # POSIX P1003_1B real-time
extensions
options KBD_INSTALL_CDEV # install a CDEV entry in /dev
options AHC_REG_PRETTY_PRINT # Print register bitfields in debug
# output. Adds ~128k to driver.
options AHD_REG_PRETTY_PRINT # Print register bitfields in debug
# output. Adds ~215k to driver.
options ADAPTIVE_GIANT # Giant mutex is adaptive.
device apic # I/O APIC
device eisa
device pci
device fdc
device ata
device atadisk # ATA disk drives
options ATA_STATIC_ID # Static device numbering
device atkbdc # AT keyboard controller
device atkbd # AT keyboard
device psm # PS/2 mouse
device vga # VGA video card driver
device splash # Splash screen and screen saver support
device sc
device sio # 8250, 16[45]50 based serial ports
device miibus # MII bus support
device dc # DEC/Intel 21143 and various workalikes
device tl # Texas Instruments ThunderLAN
device loop # Network loopback
device random # Entropy device
device ether # Ethernet support
device pty # Pseudo-ttys (telnet etc)
device bpf # Berkeley packet filter
options IPFIREWALL
options IPFIREWALL_VERBOSE
options IPFIREWALL_VERBOSE_LIMIT=5
#options IPFIREWALL_DEFAULT_TO_ACCEPT
options IPDIVERT
options DUMMYNET
options HZ=1000
options IPFILTER
options IPFILTER_LOG
options IPFILTER_DEFAULT_BLOCK
# isainfo -vk
> isainfo -vk
-su: isainfo: command not found
# ifconfig -a
> ifconfig -a
dc0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
options=8<VLAN_MTU>
inet 24.183.200.193 netmask 0xfffffc00 broadcast 255.255.255.255
ether 00:a0:cc:29:2c:8e
media: Ethernet autoselect (100baseTX <full-duplex>)
status: active
tl0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
inet 10.0.0.1 netmask 0xff000000 broadcast 10.255.255.255
ether 00:80:5f:83:36:ff
media: Ethernet autoselect (100baseTX <full-duplex>)
status: active
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
inet 127.0.0.1 netmask 0xff000000
# netstat -rn
> netstat -rn
Routing tables
Internet:
Destination Gateway Flags Refs Use Netif Expire
default 24.183.200.1 UGS 0 150194 dc0
10 link#2 UC 0 0 tl0
10.0.0.2 00:a0:cc:27:82:fc UHLW 1 9059 tl0
10.0.0.3 00:e0:81:30:ae:45 UHLW 1 12959 tl0
10.0.0.4 00:50:fc:9c:bb:47 UHLW 1 2 tl0
24.183.200/22 link#1 UC 0 0 dc0
24.183.200.1 00:05:00:e3:dc:7a UHLW 2 0 dc0
127.0.0.1 127.0.0.1 UH 0 66 lo0
# netstat -i
> netstat -i
Name Mtu Network Address Ipkts Ierrs Opkts Oerrs Coll
dc0 1500 <Link#1> 00:a0:cc:29:2c:8e 5369389 8 119212 0 0
dc0 1500 24.183.200/22 24-183-200-193.dh 29352 - 738 - -
tl0 1500 <Link#2> 00:80:5f:83:36:ff 127064 0 131938 0 0
tl0 1500 10 gateway 4515 - 6727 - -
lo0 16384 <Link#3> 66 0 66 0 0
lo0 16384 your-net localhost 66 - 66 - -
# netstat -s -P ip
> netstat -s -P ip
netstat: illegal option -- P
> netstat -s ip
tcp:
4370 packets sent
4294 data packets (513446 bytes)
0 data packets (0 bytes) retransmitted
0 data packets unnecessarily retransmitted
0 resends initiated by MTU discovery
62 ack-only packets (26 delayed)
0 URG only packets
0 window probe packets
0 window update packets
14 control packets
32172 packets received
4017 acks (for 513461 bytes)
5 duplicate acks
0 acks for unsent data
975 packets (55076 bytes) received in-sequence
0 completely duplicate packets (0 bytes)
0 old duplicate packets
0 packets with some dup. data (0 bytes duped)
0 out-of-order packets (0 bytes)
0 packets (0 bytes) of data after window
0 window probes
0 window update packets
0 packets received after close
0 discarded for bad checksums
0 discarded for bad header offset fields
0 discarded because packet too short
5 connection requests
6 connection accepts
0 bad connection attempts
0 listen queue overflows
0 ignored RSTs in the windows
11 connections established (including accepts)
9 connections closed (including 0 drops)
5 connections updated cached RTT on close
5 connections updated cached RTT variance on close
0 connections updated cached ssthresh on close
0 embryonic connections dropped
4017 segments updated rtt (of 3999 attempts)
0 retransmit timeouts
0 connections dropped by rexmit timeout
0 persist timeouts
0 connections dropped by persist timeout
0 keepalive timeouts
0 keepalive probes sent
0 connections dropped by keepalive
719 correct ACK header predictions
585 correct data packet header predictions
11 syncache entries added
10 retransmitted
9 dupsyn
0 dropped
6 completed
0 bucket overflow
0 cache overflow
2 reset
3 stale
0 aborted
0 badack
0 unreach
0 zone failures
0 cookies sent
0 cookies received
0 SACK recovery episodes
0 segment rexmits in SACK recovery episodes
0 byte rexmits in SACK recovery episodes
0 SACK options (SACK blocks) received
0 SACK options (SACK blocks) sent
0 SACK scoreboard overflow
udp:
1773 datagrams received
0 with incomplete header
0 with bad data length field
0 with bad checksum
264 with no checksum
1029 dropped due to no socket
6 broadcast/multicast datagrams dropped due to no socket
0 dropped due to full socket buffers
0 not for hashed pcb
738 delivered
745 datagrams output
ip:
302638 total packets received
0 bad header checksums
0 with size smaller than minimum
0 with data size < data length
0 with ip length > max ip packet size
0 with header length < data size
0 with data length < header length
0 with bad options
0 with incorrect version number
0 fragments received
0 fragments dropped (dup or out of space)
0 fragments dropped after timeout
0 packets reassembled ok
33994 packets for this host
7 packets for unknown/unsupported protocol
242208 packets forwarded (0 packets fast forwarded)
2461 packets not forwardable
0 packets received for unknown multicast group
0 redirects sent
36204 packets sent from this host
0 packets sent with fabricated ip header
0 output packets dropped due to no bufs, etc.
0 output packets discarded due to no route
0 output datagrams fragmented
0 fragments created
0 datagrams that can't be fragmented
0 tunneling packets that can't find gif
0 datagrams with bad address in header
icmp:
3490 calls to icmp_error
1 error not generated in response to an icmp message
Output histogram:
echo reply: 46
destination unreachable: 3489
0 messages with bad code fields
0 messages < minimum length
0 bad checksums
0 messages with bad length
0 multicast echo requests ignored
0 multicast timestamp requests ignored
Input histogram:
destination unreachable: 6
echo: 46
time exceeded: 1
46 message responses generated
0 invalid return addresses
0 no return routes
ICMP address mask responses are disabled
igmp:
0 messages received
0 messages received with too few bytes
0 messages received with bad checksum
0 membership queries received
0 membership queries received with invalid field(s)
0 membership reports received
0 membership reports received with invalid field(s)
0 membership reports received for groups to which we belong
0 membership reports sent
Warning: sysctl(net.inet6.ip6.rip6stats): No such file or directory
# ipf -V
> ipf -V
ipf: IP Filter: v4.1.8 (416)
Kernel: IP Filter: v4.1.8
Running: yes
Log Flags: 0 = none set
Default: pass all, Logging: available
Active list: 0
Feature mask: 0xa
# ipfstat
> ipfstat
bad packets: in 0 out 0
IPv6 packets: in 0 out 0
input packets: blocked 23784 passed 278896 nomatch 27632
counted 0 short 0
output packets: blocked 31074 passed 250023 nomatch 1 counted 0 short 0
input packets logged: blocked 401 passed 0
output packets logged: blocked 0 passed 0
packets logged: input 0 output 0
log failures: input 0 output 0
fragment state(in): kept 0 lost 0 not fragmented 0
fragment state(out): kept 0 lost 0 not fragmented 0
packet state(in): kept 2311 lost 0
packet state(out): kept 4819 lost 31074
ICMP replies: 0 TCP RSTs sent: 0
Invalid source(in): 0
Result cache hits(in): 15839 (out): 4137
IN Pullups succeeded: 26 failed: 0
OUT Pullups succeeded: 3508 failed: 0
Fastroute successes: 0 failures: 0
TCP cksum fails(in): 0 (out): 0
IPF Ticks: 179980
Packet log flags set: (0)
none
# ipfstat -io
> ipfstat -io
pass out quick on tl0 all
pass out quick on lo0 all
pass out quick on dc0 proto tcp from any to any keep state
pass out quick on dc0 proto udp from any to any keep state
pass out quick on dc0 proto icmp from any to any keep state
pass out quick on dc0 proto tcp from any to 24.159.64.23/32 port =
domain flags S/FSRPAU keep state
pass out quick on dc0 proto udp from any to 24.159.64.23/32 port =
domain keep state
pass out quick on dc0 proto tcp from any to 24.159.64.21/32 port =
domain flags S/FSRPAU keep state
pass out quick on dc0 proto udp from any to 24.159.64.21/32 port =
domain keep state
pass out quick on dc0 proto tcp from any to 24.159.64.20/32 port =
domain flags S/FSRPAU keep state
pass out quick on dc0 proto udp from any to 24.159.64.20/32 port =
domain keep state
pass out quick on dc0 proto udp from any to any port = bootps keep state
pass out quick on dc0 proto tcp from any to any port = http flags
S/FSRPAU keep state
pass out quick on dc0 proto tcp from any to any port = https flags
S/FSRPAU keep state
pass out quick on dc0 proto tcp from any to any port = imap flags
S/FSRPAU keep state
pass out quick on dc0 proto tcp from any to any port = pop3 flags
S/FSRPAU keep state
pass out quick on dc0 proto tcp from any to any port = smtp flags
S/FSRPAU keep state
pass out quick on dc0 proto tcp from any to any port = time flags
S/FSRPAU keep state
pass out quick on dc0 proto tcp from any to any port = nntp flags
S/FSRPAU keep state
pass out quick proto tcp from any port > 1023 to any port = ftp flags
S/FSRPAU keep state
pass out quick proto tcp from any port > 1023 to any port > 1023 flags
S/FSRPAU keep state
pass out quick on dc0 proto tcp from any to any port = ssh flags
S/FSRPAU keep state
pass out quick on dc0 proto tcp from any to any port = telnet flags
S/FSRPAU keep state
pass out quick on dc0 proto tcp from any to any port = cvsup flags
S/FSRPAU keep state
pass out quick on dc0 proto tcp from any to any port = ircd flags
S/FSRPAU keep state
pass out quick on dc0 proto icmp from any to any icmp-type echo keep state
pass out quick on dc0 proto icmp from any to any icmp-type echorep keep state
pass out quick on dc0 proto icmp from any to any icmp-type timex keep state
pass out quick on dc0 proto tcp from any to any port = nicname flags
S/FSRPAU keep state
block out log first quick on dc0 all
pass in quick on tl0 all
pass in quick on lo0 all
block in quick on dc0 from 192.168.0.0/16 to any
block in quick on dc0 from 172.16.0.0/12 to any
block in quick on dc0 from 10.0.0.0/8 to any
block in quick on dc0 from 127.0.0.0/8 to any
block in quick on dc0 from 0.0.0.0/8 to any
block in quick on dc0 from 169.254.0.0/16 to any
block in quick on dc0 from 192.0.2.0/24 to any
block in quick on dc0 from 204.152.64.0/23 to any
block in quick on dc0 from 224.0.0.0/3 to any
block in log first quick on dc0 from any to any with frag
block in log first quick on dc0 proto tcp from any to any with short
block in log first quick on dc0 from any to any with opt lsrr
block in log first quick on dc0 from any to any with opt ssrr
block in log first quick on dc0 proto tcp from any to any flags FPU/FSRPAU
block in log first quick on dc0 from any to any with ipopts
block in quick on dc0 proto icmp from any to any icmp-type echo
block in log first quick on dc0 proto tcp/udp from any to any port = netbios-ns
block in log first quick on dc0 proto tcp/udp from any to any port = netbios-dgm
block in log first quick on dc0 proto tcp/udp from any to any port = netbios-ssn
block in log first quick on dc0 proto tcp/udp from any to any port = hosts2-ns
pass in quick on dc0 proto udp from 10.160.0.1/32 to any port = bootpc
keep state
pass in quick on dc0 proto tcp from any to any port = http flags
S/FSRPAU keep state
pass in quick on dc0 proto tcp from any to any port = auth flags
S/FSRPAU keep state
pass in quick on dc0 proto tcp from any to any port = 2217 flags
S/FSRPAU keep state
pass in quick on dc0 proto tcp from 216.19.216.16/32 to any port =
dec-notes flags S/FSRPAU keep state
pass in quick on dc0 proto tcp from 216.19.216.16/32 to any port =
search flags S/FSRPAU keep state
pass in quick on dc0 proto tcp from 216.19.216.16/32 to any port =
raid-cc flags S/FSRPAU keep state
pass in quick on dc0 proto tcp from 216.19.216.16/32 to any port =
ttyinfo flags S/FSRPAU keep state
pass in quick on dc0 proto tcp from 216.19.216.16/32 to any port =
raid-am flags S/FSRPAU keep state
pass in quick on dc0 proto tcp from 216.19.216.16/32 to any port =
troff flags S/FSRPAU keep state
pass in quick on dc0 proto tcp from 216.19.216.16/32 to any port =
cypress flags S/FSRPAU keep state
pass in quick on dc0 proto tcp from 216.19.216.16/32 to any port =
bootserver flags S/FSRPAU keep state
pass in quick on dc0 proto tcp from 216.19.216.16/32 to any port =
cypress-stat flags S/FSRPAU keep state
pass in quick on dc0 proto tcp from 216.19.216.16/32 to any port =
terminaldb flags S/FSRPAU keep state
pass in quick on dc0 proto tcp from 216.19.216.16/32 to any port =
whosockami flags S/FSRPAU keep state
pass in quick on dc0 proto tcp from 216.19.216.16/32 to any port =
xinupageserver flags S/FSRPAU keep state
pass in quick on dc0 proto tcp from 67.15.155.13/32 to any port =
dec-notes flags S/FSRPAU keep state
pass in quick on dc0 proto tcp from 67.15.155.13/32 to any port =
search flags S/FSRPAU keep state
pass in quick on dc0 proto tcp from 67.15.155.13/32 to any port =
raid-cc flags S/FSRPAU keep state
pass in quick on dc0 proto tcp from 67.15.155.13/32 to any port =
ttyinfo flags S/FSRPAU keep state
pass in quick on dc0 proto tcp from 67.15.155.13/32 to any port =
raid-am flags S/FSRPAU keep state
pass in quick on dc0 proto tcp from 67.15.155.13/32 to any port =
troff flags S/FSRPAU keep state
pass in quick on dc0 proto tcp from 67.15.155.13/32 to any port =
cypress flags S/FSRPAU keep state
pass in quick on dc0 proto tcp from 67.15.155.13/32 to any port =
bootserver flags S/FSRPAU keep state
pass in quick on dc0 proto tcp from 67.15.155.13/32 to any port =
cypress-stat flags S/FSRPAU keep state
pass in quick on dc0 proto tcp from 67.15.155.13/32 to any port =
terminaldb flags S/FSRPAU keep state
pass in quick on dc0 proto tcp from 67.15.155.13/32 to any port =
whosockami flags S/FSRPAU keep state
pass in quick on dc0 proto tcp from 67.15.155.13/32 to any port =
xinupageserver flags S/FSRPAU keep state
block in log first quick on dc0 all
# ipnat -slv
I doubt you really want to see all of this, it was very long. Here is
a good chunck of it:
> ipnat -slv
mapped in 124643 out 119264
added 7800 expired 0
no memory 0 bad nat 0
inuse 452
rules 16
wilds 0
table 0xbfbfeb7c list 0xc1867000
List of active MAP/Redirect filters:
rdr dc0 0.0.0.0/0 port 80 -> 10.0.0.2 port 80 tcp
rdr dc0 0.0.0.0/0 port 113 -> 10.0.0.2 port 113 tcp
rdr dc0 0.0.0.0/0 port 2010 -> 10.0.0.2 port 2010 tcp
rdr dc0 0.0.0.0/0 port 2011 -> 10.0.0.2 port 2011 tcp
rdr dc0 0.0.0.0/0 port 2012 -> 10.0.0.2 port 2012 tcp
rdr dc0 0.0.0.0/0 port 2013 -> 10.0.0.2 port 2013 tcp
rdr dc0 0.0.0.0/0 port 2014 -> 10.0.0.2 port 2014 tcp
rdr dc0 0.0.0.0/0 port 2015 -> 10.0.0.2 port 2015 tcp
rdr dc0 0.0.0.0/0 port 2016 -> 10.0.0.2 port 2016 tcp
rdr dc0 0.0.0.0/0 port 2017 -> 10.0.0.2 port 2017 tcp
rdr dc0 0.0.0.0/0 port 2018 -> 10.0.0.2 port 2018 tcp
rdr dc0 0.0.0.0/0 port 2019 -> 10.0.0.2 port 2019 tcp
rdr dc0 0.0.0.0/0 port 2020 -> 10.0.0.2 port 2020 tcp
rdr dc0 0.0.0.0/0 port 3333 -> 10.0.0.2 port 3333 tcp
map dc0 0.0.0.0/0 -> 0.0.0.0/32 portmap tcp/udp auto
map dc0 0.0.0.0/0 -> 0.0.0.0/32
List of active sessions:
MAP 24.183.200.193 54016 <- -> 24.183.200.193 55040 [24.159.64.23 53]
age 181244 use 0 sumd 0x400/0x400 pr 17 bkt 735/739 flags 2
ifp dc0,dc0 bytes 163/74 pkts 1/1 ipsumd 0
MAP 24.183.200.193 53567 <- -> 24.183.200.193 54591 [24.159.64.23 53]
age 181239 use 0 sumd 0x400/0x400 pr 17 bkt 485/489 flags 2
ifp dc0,dc0 bytes 230/73 pkts 1/1 ipsumd 0
MAP 24.183.200.193 60321 <- -> 24.183.200.193 61345 [24.159.64.23 53]
age 181239 use 0 sumd 0x400/0x400 pr 17 bkt 1035/1039 flags 2
ifp dc0,dc0 bytes 204/71 pkts 1/1 ipsumd 0
MAP 24.183.200.193 60734 <- -> 24.183.200.193 61758 [24.159.64.23 53]
age 181237 use 0 sumd 0x400/0x400 pr 17 bkt 257/261 flags 2
ifp dc0,dc0 bytes 230/73 pkts 1/1 ipsumd 0
MAP 24.183.200.193 59577 <- -> 24.183.200.193 60601 [24.159.64.23 53]
age 181237 use 0 sumd 0x400/0x400 pr 17 bkt 1035/1039 flags 2
ifp dc0,dc0 bytes 201/72 pkts 1/1 ipsumd 0
MAP 24.183.200.193 54448 <- -> 24.183.200.193 55472 [24.159.64.23 53]
age 181237 use 0 sumd 0x400/0x400 pr 17 bkt 758/762 flags 2
ifp dc0,dc0 bytes 230/73 pkts 1/1 ipsumd 0
MAP 24.183.200.193 51915 <- -> 24.183.200.193 52939 [24.159.64.23 53]
age 181237 use 0 sumd 0x400/0x400 pr 17 bkt 1519/1523 flags 2
ifp dc0,dc0 bytes 163/74 pkts 1/1 ipsumd 0
And here are my rules:
> cat /etc/ipf.rules
###########################################
# no restrictions on inside lan interface #
###########################################
pass out quick on tl0 all
pass in quick on tl0 all
#########################################
# no restrictions on loopback interface #
#########################################
pass in quick on lo0 all
pass out quick on lo0 all
####################
# keep state rules #
####################
pass out quick on dc0 proto tcp all keep state
pass out quick on dc0 proto udp all keep state
pass out quick on dc0 proto icmp all keep state
####################
# outbound section #
####################
########################################
# allow out access to isp's dns server #
########################################
pass out quick on dc0 proto tcp from any to 24.159.64.23 port = 53
flags S keep state
pass out quick on dc0 proto udp from any to 24.159.64.23 port = 53 keep state
pass out quick on dc0 proto tcp from any to 24.159.64.21 port = 53
flags S keep state
pass out quick on dc0 proto udp from any to 24.159.64.21 port = 53 keep state
pass out quick on dc0 proto tcp from any to 24.159.64.20 port = 53
flags S keep state
pass out quick on dc0 proto udp from any to 24.159.64.20 port = 53 keep state
#########################################
# allow out access to isp's dhcp server #
#########################################
pass out quick on dc0 proto udp from any to any port = 67 keep state
#################
# allow out www #
#################
pass out quick on dc0 proto tcp from any to any port = 80 flags S keep state
########################
# allow out secure www #
########################
pass out quick on dc0 proto tcp from any to any port = 443 flags S keep state
###################
# allow out email #
###################
pass out quick on dc0 proto tcp from any to any port = 143 flags S keep state
pass out quick on dc0 proto tcp from any to any port = 110 flags S keep state
pass out quick on dc0 proto tcp from any to any port = 25 flags S keep state
#################
# allow out ntp #
#################
pass out quick on dc0 proto tcp from any to any port = 37 flags S keep state
##################
# allow out nntp #
##################
pass out quick on dc0 proto tcp from any to any port = 119 flags S keep state
#########################
# allow out passive ftp #
#########################
pass out quick proto tcp from any port > 1023 to any port = 21 flags S
keep state
pass out quick proto tcp from any port > 1023 to any port > 1023 flags
S keep state
#################
# allow out ssh #
#################
pass out quick on dc0 proto tcp from any to any port = 22 flags S keep state
####################
# allow out telnet #
####################
pass out quick on dc0 proto tcp from any to any port = 23 flags S keep state
###################
# allow out cvsup #
###################
pass out quick on dc0 proto tcp from any to any port = 5999 flags S keep state
#################
# allow out irc #
#################
pass out quick on dc0 proto tcp from any to any port = 6667 flags S keep state
##################
# allow out ping #
##################
pass out quick on dc0 proto icmp from any to any icmp-type 8 keep state
pass out quick on dc0 proto icmp from any to any icmp-type 0 keep state
pass out quick on dc0 proto icmp from any to any icmp-type 11 keep state
###################
# allow out whois #
###################
pass out quick on dc0 proto tcp from any to any port = 43 flags S keep state
###################################################
# block and log everything else trying to get out #
###################################################
block out log first quick on dc0 all
########################
# end outbound section #
########################
###################
# inbound section #
###################
##############################################
# block all inbound non-routable or reserved #
##############################################
block in quick on dc0 from 192.168.0.0/16 to any
block in quick on dc0 from 172.16.0.0/12 to any
block in quick on dc0 from 10.0.0.0/8 to any
block in quick on dc0 from 127.0.0.0/8 to any
block in quick on dc0 from 0.0.0.0/8 to any
block in quick on dc0 from 169.254.0.0/16 to any
block in quick on dc0 from 192.0.2.0/24 to any
block in quick on dc0 from 204.152.64.0/23 to any
block in quick on dc0 from 224.0.0.0/3 to any
###############
# block frags #
###############
block in log first quick on dc0 all with frags
###########################
# block short tcp packets #
###########################
block in log first quick on dc0 proto tcp all with short
###############################
# block source routed packets #
###############################
block in log first quick on dc0 all with opt lsrr
block in log first quick on dc0 all with opt ssrr
##############################################
# block and log nmap OS fingerprint attempts #
##############################################
block in log first quick on dc0 proto tcp from any to any flags FUP
#######################################
# block anything with special options #
#######################################
block in log first quick on dc0 all with ipopts
######################
# block public pings #
######################
block in quick on dc0 proto icmp all icmp-type 8
#################
# block netbios #
#################
block in log first quick on dc0 proto tcp/udp from any to any port = netbios-ns
block in log first quick on dc0 proto tcp/udp from any to any port = netbios-dgm
block in log first quick on dc0 proto tcp/udp from any to any port = netbios-ssn
#######################################
# block ms windows hosts2 name server #
#######################################
block in log first quick on dc0 proto tcp/udp from any to any port = hosts2-ns
##############################
# allow in isp's dhcp server #
##############################
pass in quick on dc0 proto udp from 10.160.0.1 to any port = 68 keep state
################
# allow in www #
################
pass in quick on dc0 proto tcp from any to any port = 80 flags S keep state
##################
# allow in ident #
##################
pass in quick on dc0 proto tcp from any to any port = 113 flags S keep state
#############################
# allow in ssh on port 2217 #
#############################
pass in quick on dc0 proto tcp from any to any port = 2217 flags S keep state
##############################################
# allow sheeba and past0r to connect to jane #
##############################################
pass in quick on dc0 proto tcp from 216.19.216.16 to any port = 3333
flags S keep state
pass in quick on dc0 proto tcp from 216.19.216.16 to any port = 2010
flags S keep state
pass in quick on dc0 proto tcp from 216.19.216.16 to any port = 2011
flags S keep state
pass in quick on dc0 proto tcp from 216.19.216.16 to any port = 2012
flags S keep state
pass in quick on dc0 proto tcp from 216.19.216.16 to any port = 2013
flags S keep state
pass in quick on dc0 proto tcp from 216.19.216.16 to any port = 2014
flags S keep state
pass in quick on dc0 proto tcp from 216.19.216.16 to any port = 2015
flags S keep state
pass in quick on dc0 proto tcp from 216.19.216.16 to any port = 2016
flags S keep state
pass in quick on dc0 proto tcp from 216.19.216.16 to any port = 2017
flags S keep state
pass in quick on dc0 proto tcp from 216.19.216.16 to any port = 2018
flags S keep state
pass in quick on dc0 proto tcp from 216.19.216.16 to any port = 2019
flags S keep state
pass in quick on dc0 proto tcp from 216.19.216.16 to any port = 2020
flags S keep state
pass in quick on dc0 proto tcp from 67.15.155.13 to any port = 3333
flags S keep state
pass in quick on dc0 proto tcp from 67.15.155.13 to any port = 2010
flags S keep state
pass in quick on dc0 proto tcp from 67.15.155.13 to any port = 2011
flags S keep state
pass in quick on dc0 proto tcp from 67.15.155.13 to any port = 2012
flags S keep state
pass in quick on dc0 proto tcp from 67.15.155.13 to any port = 2013
flags S keep state
pass in quick on dc0 proto tcp from 67.15.155.13 to any port = 2014
flags S keep state
pass in quick on dc0 proto tcp from 67.15.155.13 to any port = 2015
flags S keep state
pass in quick on dc0 proto tcp from 67.15.155.13 to any port = 2016
flags S keep state
pass in quick on dc0 proto tcp from 67.15.155.13 to any port = 2017
flags S keep state
pass in quick on dc0 proto tcp from 67.15.155.13 to any port = 2018
flags S keep state
pass in quick on dc0 proto tcp from 67.15.155.13 to any port = 2019
flags S keep state
pass in quick on dc0 proto tcp from 67.15.155.13 to any port = 2020
flags S keep state
#################################
# block and log everything else #
#################################
block in log first quick on dc0 all
#######################
# end inbound section #
#######################
> cat /etc/ipnat.rules
########################
# redirects inside lan #
########################
rdr dc0 0.0.0.0/0 port 80 -> 10.0.0.2 port 80
rdr dc0 0.0.0.0/0 port 113 -> 10.0.0.2 port 113
rdr dc0 0.0.0.0/0 port 2010 -> 10.0.0.2 port 2010
rdr dc0 0.0.0.0/0 port 2011 -> 10.0.0.2 port 2011
rdr dc0 0.0.0.0/0 port 2012 -> 10.0.0.2 port 2012
rdr dc0 0.0.0.0/0 port 2013 -> 10.0.0.2 port 2013
rdr dc0 0.0.0.0/0 port 2014 -> 10.0.0.2 port 2014
rdr dc0 0.0.0.0/0 port 2015 -> 10.0.0.2 port 2015
rdr dc0 0.0.0.0/0 port 2016 -> 10.0.0.2 port 2016
rdr dc0 0.0.0.0/0 port 2017 -> 10.0.0.2 port 2017
rdr dc0 0.0.0.0/0 port 2018 -> 10.0.0.2 port 2018
rdr dc0 0.0.0.0/0 port 2019 -> 10.0.0.2 port 2019
rdr dc0 0.0.0.0/0 port 2020 -> 10.0.0.2 port 2020
rdr dc0 0.0.0.0/0 port 3333 -> 10.0.0.2 port 3333
#############
# basic nat #
#############
map dc0 0/0 -> 0/32 portmap tcp/udp auto
map dc0 0/0 -> 0/32
--
Greg Donald
Zend Certified Engineer
MySQL Core Certification
http://destiney.com/
