Date: Tue, 17 Dec 2002 19:50:58 -0300 (ART) From: Fernando Gleiser <fgleiser@cactus.fi.uba.ar> To: =?iso-8859-1?q?Keith=20Spencer?= <bsd2000au@yahoo.com.au> Cc: fbsd <freebsd-questions@freebsd.org> Subject: Re: ipf -> IPFILTER_DEFAULT_BLOCK ...This is not working as predicted! Help? Message-ID: <20021217194625.K52840-100000@cactus.fi.uba.ar> In-Reply-To: <20021217224437.30028.qmail@web12003.mail.yahoo.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, 18 Dec 2002, Keith Spencer wrote: > Fi, > Here is the Sclacter rule set...mine is identical! > But options IPFILTER_DEFAULT_BLOCK blocks everything > always! Machine cant adsl pppoe connect etc etc. > Any clues? Mine is a new 4.7 release P4 845 chipset > machine....................... > PS rules are at very end of this message. What's your internal interface? what's your external one? Is this box acting as a router? are you using user ppp or mpd? How many NICs does this box have? It seems to me that your ruleset is incomplete. Send the output of a 'ifconfig -a' after the ppp link is set up (when you got the public IP) Fer > > --- Fernando Gleiser <fgleiser@cactus.fi.uba.ar> > wrote: > On Tue, 17 Dec 2002, Keith Spencer wrote: > > > > > Hi all, > > > Marty Schlacter is obviously the man. I am > > following > > > his firewall tute religiously but I am doing > > something > > > wrong! > > > I have an ipf.rules EXACTLY like his. Works a > > > treat...but only if I remove the kernel > > > ipfilter_default_block option. > > > If it is in there...it blocks way too well. > > > Everything. > > > What is going on here or has Marty got it all > > wrong? > > > > Are you using the 'quick' keyword? If you don't, ipf > > uses a last-match > > checking, and the last rule is 'block all' > > > > See the IPF HOWTO for details. > > > > > +++++++++++ipf.rules++++++++++++++++++++++++++++++ > > ###################################################### > > # Inside Interface > ##################################################### > #---------------------------------------------------------------- > > # Allow out all TCP, UDP, and ICMP traffic & keep > state > #---------------------------------------------------------------- > > pass out quick on ed1 proto tcp from any to any keep > state > pass out quick on ed1 proto udp from any to any keep > state > pass out quick on ed1 proto icmp from any to any keep > state > block out quick on ed1 all > > #---------------------------------------------------------------- > # Allow in all TCP, UDP, and ICMP traffic & keep state > > #---------------------------------------------------------------- > > pass in quick on ed1 proto tcp from any to any keep > state > pass in quick on ed1 proto udp from any to any keep > state > pass in quick on ed1 proto icmp from any to any keep > state > block in quick on ed1 all > > ################################################################# > > # Loopback Interface > ################################################################# > > > #---------------------------------------------------------------- > > # Allow everything to/from your loopback interface so > you > # can ping yourself (e.g. ping localhost) > #---------------------------------------------------------------- > > pass in quick on lo0 all > pass out quick on lo0 all > > > > http://greetings.yahoo.com.au - Yahoo! Greetings > - Send your seasons greetings online this year! > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20021217194625.K52840-100000>