From owner-freebsd-questions@FreeBSD.ORG Tue Jun 21 21:20:01 2005 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8D63B16A41C for ; Tue, 21 Jun 2005 21:20:01 +0000 (GMT) (envelope-from fbsd_user@a1poweruser.com) Received: from mta13.adelphia.net (mta13.mail.adelphia.net [68.168.78.44]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2DC9543D53 for ; Tue, 21 Jun 2005 21:20:00 +0000 (GMT) (envelope-from fbsd_user@a1poweruser.com) Received: from barbish ([69.172.31.81]) by mta13.adelphia.net (InterMail vM.6.01.04.01 201-2131-118-101-20041129) with SMTP id <20050621211959.SEVR14360.mta13.adelphia.net@barbish>; Tue, 21 Jun 2005 17:19:59 -0400 From: "fbsd_user" To: "RYAN vAN GINNEKEN" , Date: Tue, 21 Jun 2005 17:19:54 -0400 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.6604 (9.0.2911.0) In-Reply-To: <42B87130.6050203@computerking.ca> Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1409 Cc: Subject: RE: ipf not working correctly??? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: fbsd_user@a1poweruser.com List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 21 Jun 2005 21:20:01 -0000 Your first problem is you have ipfw and ipf both turned on in kernel and rc.conf. You can only have one firewall on at a time. Remove all "firewall" and ipf statements from the kernel and recompile or just use the generic kernel. Then remove all "firewall" and "natd' statements from rc.conf. Then go back and read the FreeBSD handbook section on firewalls it's been updated to give detailed instructions on what to do. Follow then to the letter and you will be all set. -----Original Message----- From: owner-freebsd-questions@freebsd.org [mailto:owner-freebsd-questions@freebsd.org]On Behalf Of RYAN vAN GINNEKEN Sent: Tuesday, June 21, 2005 3:58 PM To: freebsd-questions@freebsd.org Subject: ipf not working correctly??? Hello all i use FreeBSD stable 4.11 and wish to use built in ipf version 3.x something.i have been using ipfw with type set to open however i have recently been attacked and need to beef up security. I have followed the basic setup that is in the freebsd handbook and read through the world famous ipf howto lots of times. Currently I have the below options compiled into my kernel the docs I have read say you do not need to compile ipfilter options into the kernel to use it. I was going to uncomment the ipfilter stuff and comment out the ipfirewall options when I got ipfilter working. Is it necessary to recompile the kernel without ipfirewall options to make ipfilter work. Kernel OPTIONS======================== options IPFIREWALL options IPFIREWALL_VERBOSE options IPFIREWALL_VERBOSE_LIMIT=100 options IPDIVERT #options IPFILTER #options IPFILTER_LOG #options IPFILTER_DEFAULT_BLOCK IN MY /etc/rc.conf========================== #IPF & IPNAT ipfilter_enable="YES" # Start ipf firewall #ipfilter_rules="/etc/ipf.rules" # loads rules definition text file ipfilter_rules="/etc/ipfopen.rules" ipmon_enable="YES" # Start IP monitor log ipmon_flags="-Ds" # D = start as daemon, s = log to syslog, v = ipnat_enable="YES" # Start ipnat function ipnat_rules="/etc/ipnat.rules" # rules definition file for ipnat AS WELL AS THIS TO TURN OF IPFILTER AND NATD #IPFW & NATD firewall_enable="NO firewall_type="OPEN" firewall_quiet="NO" #firewall_scrYESt="/etc/rc.firewall" natd_enable="NO natd_interface="xl0" natd_flags="-f /etc/natd.conf" HERE IS /etc/ipnat.rules============================================= # the rule that forwards everthing map xl0 192.168.0.0/16 -> 0/32 #VNC HOSTS #HOST 1 #java rdr xl0 0/32 port 5801 -> 192.168.0.1 port 5801 #no java rdr xl0 0/32 port 5901 -> 192.168.0.1 port 5901 #HOST 2 #java rdr xl0 0/32 port 5802 -> 192.168.0.1 port 5802 #no java rdr xl0 0/32 port 5902 -> 192.168.0.1 port 5902 =============================================================== PLEASE FIND MY ipf.rules ATTACHED TO this email I have even tried to use the following rules set to see if I could get ipf to work as an open firewall but it still seems to block to much. =============================================================== pass out quick on lo0 all pass in quick on lo0 all pass out quick on xl1 all pass in quick on xl1 all pass out quick on xl0 all pass in quick on xl0 all when I ping google.ca I get errors about unknown hostname. When I ping googles ipaddress I get permission denied over and over again. When I try to use lynx I get alert destination host unreachable. Seems like dns?? When I turn off ipf and use ipfw set to open everything works fine again. Please someone help what is going wrong. ipmon/ipfstat do not seem to help but mabey i need some guidance with these tools.