From owner-freebsd-questions Tue Dec 17 14:44:40 2002 Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id F303937B401 for ; Tue, 17 Dec 2002 14:44:37 -0800 (PST) Received: from web12003.mail.yahoo.com (web12003.mail.yahoo.com [216.136.172.211]) by mx1.FreeBSD.org (Postfix) with SMTP id A9F9F43EC2 for ; Tue, 17 Dec 2002 14:44:37 -0800 (PST) (envelope-from bsd2000au@yahoo.com.au) Message-ID: <20021217224437.30028.qmail@web12003.mail.yahoo.com> Received: from [203.221.19.60] by web12003.mail.yahoo.com via HTTP; Wed, 18 Dec 2002 09:44:37 EST Date: Wed, 18 Dec 2002 09:44:37 +1100 (EST) From: =?iso-8859-1?q?Keith=20Spencer?= Subject: Re: ipf -> IPFILTER_DEFAULT_BLOCK ...This is not working as predicted! Help? To: Fernando Gleiser Cc: fbsd In-Reply-To: <20021217102839.C52840-100000@cactus.fi.uba.ar> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Fi, Here is the Sclacter rule set...mine is identical! But options IPFILTER_DEFAULT_BLOCK blocks everything always! Machine cant adsl pppoe connect etc etc. Any clues? Mine is a new 4.7 release P4 845 chipset machine....................... PS rules are at very end of this message. --- Fernando Gleiser wrote: > On Tue, 17 Dec 2002, Keith Spencer wrote: > > > Hi all, > > Marty Schlacter is obviously the man. I am > following > > his firewall tute religiously but I am doing > something > > wrong! > > I have an ipf.rules EXACTLY like his. Works a > > treat...but only if I remove the kernel > > ipfilter_default_block option. > > If it is in there...it blocks way too well. > > Everything. > > What is going on here or has Marty got it all > wrong? > > Are you using the 'quick' keyword? If you don't, ipf > uses a last-match > checking, and the last rule is 'block all' > > See the IPF HOWTO for details. > > +++++++++++ipf.rules++++++++++++++++++++++++++++++ ###################################################### # Inside Interface ##################################################### #---------------------------------------------------------------- # Allow out all TCP, UDP, and ICMP traffic & keep state #---------------------------------------------------------------- pass out quick on ed1 proto tcp from any to any keep state pass out quick on ed1 proto udp from any to any keep state pass out quick on ed1 proto icmp from any to any keep state block out quick on ed1 all #---------------------------------------------------------------- # Allow in all TCP, UDP, and ICMP traffic & keep state #---------------------------------------------------------------- pass in quick on ed1 proto tcp from any to any keep state pass in quick on ed1 proto udp from any to any keep state pass in quick on ed1 proto icmp from any to any keep state block in quick on ed1 all ################################################################# # Loopback Interface ################################################################# #---------------------------------------------------------------- # Allow everything to/from your loopback interface so you # can ping yourself (e.g. ping localhost) #---------------------------------------------------------------- pass in quick on lo0 all pass out quick on lo0 all http://greetings.yahoo.com.au - Yahoo! Greetings - Send your seasons greetings online this year! To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message