Re: ipf stateful rules
Nathan Watson wrote: Hello, I'm running FreeBSD 6.1 with IPF/IPNAT, and I'm having a problem getting my rules to work. The problem is mainly that I want no restrictions on outbound traffic, and I'm not sure how to apply stateful filtering to that. I have the following rule (hme0 is my external interface): pass out quick on hme0 all If I change that to pass out quick on hme0 all keep state, will that only open the port that the outbound packet was on? Are there any problems that can arise from allowing all outbound traffic? At the moment, my ruleset doesn't pass packets at all... I'm just having lots of troubles here. My ruleset is below, and everything seems to be caught by the last block all rule. Any suggestions? You can use pass out quick on hme0 all keep state just to allow outgoing traffic without restriction. You didn't mention the IPNAT ruleset which could explain your problem. For your use I would have something like : map hm0 0.0.0.0/0 - 0.0.0.0/32 Cheers, Julien Thanks, nwatson # no restrictions on internal LAN pass out quick on hme1 all pass in quick on hme1 all # no restrictions on loopback pass out quick on lo0 all pass in quick on lo0 all # no outbound restrictions pass out quick on hme0 all keep state # block all from non-routable or reserved address space block in quick on hme0 from 172.16.0.0/12 to any# private block in quick on hme0 from 10.0.0.0/8 to any # private block in quick on hme0 from 127.0.0.0/8 to any # loopback block in quick on hme0 from 0.0.0.0/8 to any# loopback block in quick on hme0 from 169.254.0.0/16 to any # dhcp auto-config block in quick on hme0 from 192.0.2.0/24 to any # reserved for docs block in quick on hme0 from 204.152.64.0/23 to any # sun cluster interconnect block in quick on hme0 from 224.0.0.0/3 to any # class d e multicast # inbound blocks block in quick on hme0 all with frags # frags block in quick on hme0 proto tcp all with short # short tcp packets block in quick on hme0 all with opt lsrr# source routed packets block in quick on hme0 all with opt ssrr# source routed packets block in log first quick on hme0 proto tcp from any to any flags FUP# nmap os fingerprint attempts, log block in quick on hme0 all with ipopts # anything with special options block in quick on hme0 proto icmp all icmp-type 8 # public pings block in log first quick on hme0 proto tcp/udp from any to any port = 137 # netbios name block in log first quick on hme0 proto tcp/udp from any to any port = 138 # netbios datagram block in log first quick on hme0 proto tcp/udp from any to any port = 139 # netbios session block in log first quick on hme0 proto tcp/udp from any to any port = 81 # hosts2 name server requests # allow these pass in quick on hme0 proto tcp from any to any port = 22 flags S keep state # ssh pass in quick on hme0 proto tcp from any to any port = 25 flags S keep state # smtp pass in quick on hme0 proto tcp from any to any port = 236 flags S keep state # http pass in quick on hme0 proto tcp from any to any port = 237 flags S keep state # zimbra https pass in quick on hme0 proto tcp from any to any port = 113 flags S keep state # ident pass in quick on hme0 proto tcp from any to any port 5800 5900 flags S keep state # vnc pass in quick on hme0 proto tcp/udp from any to any port 6881 6889 keep state # bittorrent pass in quick on hme0 proto tcp from any to any port = 7071 flags S keep state # zimbra admin https # block, log all remaining traffic block in log first quick on hme0 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: dual boot; Linux, FreeBSD
Hello, I have made the same configuration (Debian and FreeBSD). I used Grub and it works very well, here is the entry in menu.lst: title FreeBSD root(hd0,0) makeactive chainloader +1 savedefault boot (It is strange that the entry is not the same as the previous answer !?) I also implemented the swap 's sharing as it is presented in the mini-howto Linux-FreeBSD (http://www.faqs.org/docs/Linux-mini/Linux+FreeBSD.html). The howto is a bit old but you can follow it. Cheers, Julien Hunter Fuller wrote: Grub does well for me. Set it up for Linux and then set it up for BSD, making sure the UFS driver's in there. Here's my command-list for booting FBSD. root (hd0,0,a) kernel /boot/loader boot I might have the spacing wrong, I'm doing it from memory, but the data's all there. On 10 Jun 2006, at 1:26 AM, jekillen wrote: Hello; If I want to set up a dual boot of either Linux or FreeBSD, what is the best way to go about it? Use Lilo, grub, or does FreeBSD have a boot loader that it likes better and Linux won't object to? i'm planning on using Debian on a separate bootable hard drive. I have to get more info on what version of Debian I will use. FreeBSD is version 6.0 release. It works great, has little quirks here and there but are negligible, Xwindow screen saver daemon won't run, but that's ok because mostly I shut the monitor off when not using the system. Gnome throws up a dialog every time it starts stating that a panel is already running. Once it kept presenting the same dialog several times before it was satisfied that I got the message. Monitor works great without any intervention from me. I sure is nice to have a computer system that just runs and runs and I don't have to do finger nail biting trying to stay ahead of crashes. Thanks in advance: JK ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
