From owner-freebsd-questions Tue Dec 17 14:51:14 2002 Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 05E5537B401 for ; Tue, 17 Dec 2002 14:51:12 -0800 (PST) Received: from cactus.fi.uba.ar (cactus.fi.uba.ar [157.92.49.108]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7F2B443EB2 for ; Tue, 17 Dec 2002 14:51:06 -0800 (PST) (envelope-from fgleiser@cactus.fi.uba.ar) Received: from cactus.fi.uba.ar (cactus.fi.uba.ar [157.92.49.108]) by cactus.fi.uba.ar (8.12.3/8.12.3) with ESMTP id gBHMowtU044573; Tue, 17 Dec 2002 19:51:03 -0300 (ART) (envelope-from fgleiser@cactus.fi.uba.ar) Date: Tue, 17 Dec 2002 19:50:58 -0300 (ART) From: Fernando Gleiser To: =?iso-8859-1?q?Keith=20Spencer?= Cc: fbsd Subject: Re: ipf -> IPFILTER_DEFAULT_BLOCK ...This is not working as predicted! Help? In-Reply-To: <20021217224437.30028.qmail@web12003.mail.yahoo.com> Message-ID: <20021217194625.K52840-100000@cactus.fi.uba.ar> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-Spam-Status: No, hits=-103.4 required=5.0 tests=IN_REP_TO,SUBJ_ENDS_IN_Q_MARK,PLING,USER_IN_WHITELIST version=2.31 Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Wed, 18 Dec 2002, Keith Spencer wrote: > Fi, > Here is the Sclacter rule set...mine is identical! > But options IPFILTER_DEFAULT_BLOCK blocks everything > always! Machine cant adsl pppoe connect etc etc. > Any clues? Mine is a new 4.7 release P4 845 chipset > machine....................... > PS rules are at very end of this message. What's your internal interface? what's your external one? Is this box acting as a router? are you using user ppp or mpd? How many NICs does this box have? It seems to me that your ruleset is incomplete. Send the output of a 'ifconfig -a' after the ppp link is set up (when you got the public IP) Fer > > --- Fernando Gleiser > wrote: > On Tue, 17 Dec 2002, Keith Spencer wrote: > > > > > Hi all, > > > Marty Schlacter is obviously the man. I am > > following > > > his firewall tute religiously but I am doing > > something > > > wrong! > > > I have an ipf.rules EXACTLY like his. Works a > > > treat...but only if I remove the kernel > > > ipfilter_default_block option. > > > If it is in there...it blocks way too well. > > > Everything. > > > What is going on here or has Marty got it all > > wrong? > > > > Are you using the 'quick' keyword? If you don't, ipf > > uses a last-match > > checking, and the last rule is 'block all' > > > > See the IPF HOWTO for details. > > > > > +++++++++++ipf.rules++++++++++++++++++++++++++++++ > > ###################################################### > > # Inside Interface > ##################################################### > #---------------------------------------------------------------- > > # Allow out all TCP, UDP, and ICMP traffic & keep > state > #---------------------------------------------------------------- > > pass out quick on ed1 proto tcp from any to any keep > state > pass out quick on ed1 proto udp from any to any keep > state > pass out quick on ed1 proto icmp from any to any keep > state > block out quick on ed1 all > > #---------------------------------------------------------------- > # Allow in all TCP, UDP, and ICMP traffic & keep state > > #---------------------------------------------------------------- > > pass in quick on ed1 proto tcp from any to any keep > state > pass in quick on ed1 proto udp from any to any keep > state > pass in quick on ed1 proto icmp from any to any keep > state > block in quick on ed1 all > > ################################################################# > > # Loopback Interface > ################################################################# > > > #---------------------------------------------------------------- > > # Allow everything to/from your loopback interface so > you > # can ping yourself (e.g. ping localhost) > #---------------------------------------------------------------- > > pass in quick on lo0 all > pass out quick on lo0 all > > > > http://greetings.yahoo.com.au - Yahoo! Greetings > - Send your seasons greetings online this year! > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message