Sasa Stupar píše v ne 05. 03. 2006 v 10:04 +0100: > Hi! > > I am new to ipfiter. I have a server (FreeBSD 5.5)in DMZ and I have > configured ipfilter (3.4.35) on this server for firewall. Incoming access
I think that you might benefit from the upgrade of the server to 6.1 (as 5.5 it has not been released yet). It is better performing, has quite a few new features and you would also get much newer ipfilter. > is filtered as it suppose but outging access from the server is completely > blocked; I can't use fetchmail, nor connect to remote smtp server, etc. > Here are my rules: > -------------- > # ping > pass in quick proto icmp from 192.168.10.0/24 to <thishost> icmp-type echo > # ftp > pass in quick proto tcp from any to <thishost> port = 21 flags S keep state > # ssh > pass in quick proto tcp from 192.168.10.0/24 to <thishost> port = 22 flags > S keep state > # smtp > pass in quick proto tcp from any to <thishost> port = 25 flags S keep state > # http > pass in quick proto tcp from any to <thishost> port = 80 flags S keep state > # pop3 > pass in quick proto tcp from any to <thishost> port = 110 flags S keep state > block return-rst in quick proto tcp from any to any port = 113 > # ntp > pass in quick proto udp from 192.168.10.0/24 to <thishost> port = 123 > # samba > pass in quick proto udp from 192.168.10.0/24 to <thishost> port 137 <> 138 > # samba > pass in quick proto tcp from 192.168.10.0/24 to <thishost> port = 139 flags > S keep state > # imap > pass in quick proto tcp from any to <thishost> port = 143 flags S keep state > # https > pass in quick proto tcp from any to <thishost> port = 443 flags S keep state > # samba > pass in quick proto tcp from 192.168.10.0/24 to <thishost> port = 445 flags > S keep state > # smtps > pass in quick proto tcp from any to <thishost> port = 465 flags S keep state > # sma > pass in quick proto tcp from any to <thishost> port = 587 flags S keep state > # pop3s > pass in quick proto tcp from any to <thishost> port = 993 flags S keep state > # imaps > pass in quick proto tcp from any to <thishost> port = 995 flags S keep state > # webmin > pass in quick proto tcp from 192.168.10.0/24 to <thishost> port = 10000 > flags S keep state > pass out quick from <thishost> to any You probably want keep state on this rule too. This way the returning packets will automatically be allowed and not blocked by your last rule. > # lo > pass in quick on lo0 all > # Block everything else > block in quick on fxp0 from any to <thishost> > --------------- > > What am I missing here? > > Regards, HTH Michal
