If you compiled you kernel, and added options IPFILTER_DEFAULT_BLOCK,
then you need to explicitly allow each service to leave the interface,
as well as come in thru the interface. For example add:
pass in quick proto tcp from any to any port = 53 keep state keep keep
state frags
pass in quick
correction,
I meant
pass out quick on rl0 proto tcp from any to any port = 53 keep state
frags
pass out quick on rl0 proto udp from any to any port = 53 keep state
frags
I did it in kind of a hurry.
On Jan 17, 2005, at 3:33 PM, Alvaro J. Gurdián wrote:
If you compiled you kernel, and added
Hello,
Now reading this - maybe you left out the default action at the top of
the ruleset? - I only see pass rules and unless you compiled your kernel
with default block, then default is pass, leaving your host with no
effective firewall at all.
Should suffice just to flush the rules, unless
Kvesdn Gbor wrote:
Anyway, thanks for your ideas, which were very useful for me. I'm using now
the catch-all rules as You suggested. You also mentioned, there can be some
problems with the ftp server. Could You tell me please, what You meant? Ftp
hasn't been running yet, so I can't test it, but
Hi,
I have some trouble with the ipf configuration. I made the following
ruleset:
pass in quick on rl0 proto udp from any to any port = 68 keep state
pass in quick proto udp from any to any port = 53 keep state keep frags
pass in quick on rl0 proto tcp/udp from any to any port = 42 keep state
Kvesdn Gbor wrote:
pass in quick on rl0 proto udp from any to any port = 68 keep state
pass in quick proto udp from any to any port = 53 keep state keep frags
First I see that you have left out on rl0 in this line.
pass in quick on rl0 proto tcp/udp from any to any port = 42 keep state keep
frags
Hello,
Thanks for your answer, I've modified my rules as You suggested, but I
haven't made groups yet. Thus the new ruleset is:
# I don't want to filter outgoing packets
pass out quick all
# The incoming packets for dhcp, dns, ssh, mail, ftp, www
pass in quick on rl0 proto udp from any to any
Kvesdn Gbor wrote:
Thanks for your answer, I've modified my rules as You suggested, but I
haven't made groups yet. Thus the new ruleset is:
But did you resolve the named problem?
# I don't want to filter outgoing packets
pass out quick all
# The incoming packets for dhcp, dns, ssh, mail, ftp, www