From owner-freebsd-questions Tue Dec 17 14:48:14 2002 Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0611C37B401 for ; Tue, 17 Dec 2002 14:48:10 -0800 (PST) Received: from web12007.mail.yahoo.com (web12007.mail.yahoo.com [216.136.172.215]) by mx1.FreeBSD.org (Postfix) with SMTP id A3C3E43EB2 for ; Tue, 17 Dec 2002 14:48:09 -0800 (PST) (envelope-from bsd2000au@yahoo.com.au) Message-ID: <20021217224809.62403.qmail@web12007.mail.yahoo.com> Received: from [203.221.19.60] by web12007.mail.yahoo.com via HTTP; Wed, 18 Dec 2002 09:48:09 EST Date: Wed, 18 Dec 2002 09:48:09 +1100 (EST) From: =?iso-8859-1?q?Keith=20Spencer?= Subject: OOPS....Re: ipf -> IPFILTER_DEFAULT_BLOCK ...This is not working as predicted! Help? To: Fernando Gleiser Cc: fbsd In-Reply-To: <20021217102839.C52840-100000@cactus.fi.uba.ar> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG sorry guys the copy paste mucked up on me... Here is the full rule set I am using... ################################################################# # Outside Interface ################################################################# #---------------------------------------------------------------- # Allow out all TCP, UDP, and ICMP traffic & keep state on it # so that it's allowed back in. # # If you wanted to do egress filtering...here's where you'd do it. # You'd change the lines below so that rather than allowing out any # arbitrary TCP connection, it would only allow out mail, pop3, and http # connections (for example). So, the first line, below, would be # replaced with: # pass out quick on ed0 proto tcp from any to any port = 25 keep state # pass out quick on ed0 proto tcp from any to any port = 110 keep state # pass out quick on ed0 proto tcp from any to any port = 80 keep state # ...and then do the same for the remaining lines so that you allow # only specified protocols/ports 'out' of your network #---------------------------------------------------------------- pass out quick on ed0 proto tcp from any to any keep state pass out quick on ed0 proto udp from any to any keep state pass out quick on ed0 proto icmp from any to any keep state block out quick on ed0 all #----------------------------------------------------------------------- # Block all inbound traffic from non-routable or reserved address spaces #----------------------------------------------------------------------- block in log quick on ed0 from 192.168.0.0/16 to any #RFC 1918 private IP block in log quick on ed0 from 172.16.0.0/12 to any #RFC 1918 private IP block in log quick on ed0 from 10.0.0.0/8 to any #RFC 1918 private IP block in log quick on ed0 from 127.0.0.0/8 to any #loopback block in log quick on ed0 from 0.0.0.0/8 to any #loopback block in log quick on ed0 from 169.254.0.0/16 to any #DHCP auto-config block in log quick on ed0 from 192.0.2.0/24 to any #reserved for doc's block in log quick on ed0 from 204.152.64.0/23 to any #Sun cluster interconnect block in quick on ed0 from 224.0.0.0/3 to any #Class D & E multicast #---------------------------------------------------------------- # Allow bootp traffic in from your ISP's DHCP server only. #---------------------------------------------------------------- pass in quick on ed0 proto udp from X.X.X.X/32 to any port = 68 keep state #---------------------------------------------------------------- # If you wanted to set up a web server or mail server on your box # (which is outside the scope of this howto), or allow another system # on the Internet to externally SSH into your firewall, you'd want to # uncomment the following lines and modify as appropriate. If you # have other services running that you need to allow external access # to, just add more lines using these as examples. # # If the services are on a box on your internal network (rather than # the firewall itself), you'll have to add both the filter listed below, # plus a redirect rule in your /etc/ipnat.rules file. #---------------------------------------------------------------- # pass in quick on ed0 proto tcp from any to any port = 80 flags S keep state keep frags # pass in quick on ed0 proto tcp from any to any port = 25 flags S keep state keep frags # pass in quick on ed0 proto tcp from X.X.X.X/32 to any port = 22 flags S keep state keep frags #---------------------------------------------------------------- # Block and log all remaining traffic coming into the firewall # - Block TCP with a RST (to make it appear as if the service # isn't listening) # - Block UDP with an ICMP Port Unreachable (to make it appear # as if the service isn't listening) # - Block all remaining traffic the good 'ol fashioned way #---------------------------------------------------------------- block return-rst in log quick on ed0 proto tcp from any to any block return-icmp-as-dest(port-unr) in log quick on ed0 proto udp from any to any block in log quick on ed0 all ################################################################# # Inside Interface ################################################################# #---------------------------------------------------------------- # Allow out all TCP, UDP, and ICMP traffic & keep state #---------------------------------------------------------------- pass out quick on ed1 proto tcp from any to any keep state pass out quick on ed1 proto udp from any to any keep state pass out quick on ed1 proto icmp from any to any keep state block out quick on ed1 all #---------------------------------------------------------------- # Allow in all TCP, UDP, and ICMP traffic & keep state #---------------------------------------------------------------- pass in quick on ed1 proto tcp from any to any keep state pass in quick on ed1 proto udp from any to any keep state pass in quick on ed1 proto icmp from any to any keep state block in quick on ed1 all ################################################################# # Loopback Interface ################################################################# #---------------------------------------------------------------- # Allow everything to/from your loopback interface so you # can ping yourself (e.g. ping localhost) #---------------------------------------------------------------- pass in quick on lo0 all pass out quick on lo0 all http://greetings.yahoo.com.au - Yahoo! Greetings - Send your seasons greetings online this year! To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message