From owner-freebsd-questions Tue Apr 9 14: 6:15 2002 Delivered-To: freebsd-questions@freebsd.org Received: from mailcleaner1.gits.net.th (mailcleaner1.gits.net.th [164.115.2.138]) by hub.freebsd.org (Postfix) with ESMTP id 6E09A37B400 for ; Tue, 9 Apr 2002 14:06:00 -0700 (PDT) Received: (qmail 12038 invoked from network); 9 Apr 2002 21:05:35 -0000 Received: from mail.gits.net.th (HELO gits.net.th) (164.115.2.136) by mailcleaner1.gits.net.th with SMTP; 9 Apr 2002 21:05:25 -0000 Received: (qmail 11237 invoked from network); 9 Apr 2002 21:05:45 -0000 Received: from pc54.ntl.nectec.or.th (HELO ple) (203.150.154.204) by mail.gits.net.th with SMTP; 9 Apr 2002 21:05:45 -0000 Message-ID: <011c01c1e00b$625b57a0$cc9a96cb@ple> From: "Somphol B." To: Subject: IPFILTER Date: Wed, 10 Apr 2002 04:13:22 +0700 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_0119_01C1E046.0D6A7E20" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4133.2400 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG This is a multi-part message in MIME format. ------=_NextPart_000_0119_01C1E046.0D6A7E20 Content-Type: text/plain; charset="windows-874" Content-Transfer-Encoding: quoted-printable I am running FreeBSD 4.5-Release on a machine with 2 NICs. I have setup = the IPFILTER (to protect the host) with the following rules. It is = fine for a few hours or sometimes a few days, then my machine was = misteriously frozen. I could ping, but couldn't ssh to the host. = Logging in to the host, I couldn't even do nslookup. BTW, when the = machine froze, the log does show that packets were blocked heavily. Am I missing something obvious here? =20 #Tto reread the fule # /sbin/ipf -Fa -f /etc/ipf.rules # pass in quick on lo0 pass out quick on lo0 #### allow pass out pass out quick proto tcp all keep state pass out quick proto udp all keep state pass out quick proto icmp all keep state #### OK allow HTTP (web) pass in quick on fxp0 proto tcp from any to x.x.x.x/26 port =3D 80 keep = state pass in quick on fxp1 proto tcp from any to x.x.x.x/25 port =3D 80 keep = state # allow icmp echo request pass in quick on fxp0 proto icmp from any to any icmp-type 8 keep state pass in quick on fxp1 proto icmp from any to any icmp-type 8 keep state # allow icmp echo reply pass in quick on fxp0 proto icmp from any to any icmp-type 0 keep state pass in quick on fxp1 proto icmp from any to any icmp-type 0 keep state # allow various icmp codes pass in quick on fxp0 proto icmp from any to any icmp-type 3 keep state pass in quick on fxp1 proto icmp from any to any icmp-type 3 keep state # allow time-exceeded pass in quick on fxp0 proto icmp from any to any icmp-type 11 keep state pass in quick on fxp1 proto icmp from any to any icmp-type 11 keep state ### OK allow SSH pass in quick on fxp0 proto tcp from any to x.x.x.x/26 port =3D 22 keep = state pass in quick on fxp1 proto tcp from any to x.x.x.x/25 port =3D 22 keep = state ### OK allow SMTP pass in quick on fxp0 proto tcp from any to x.x.x.x/26 port =3D 25 keep = state pass in quick on fxp1 proto tcp from any to x.x.x.x/25 port =3D 25 keep = state ### OK allow IMAP pass in quick on fxp0 proto tcp from any to x.x.x.x/26 port =3D 143 keep = state pass in quick on fxp1 proto tcp from any to x.x.x.x/25 port =3D 143 keep = state ### OK allow POP3 pass in quick on fxp0 proto tcp from any to x.x.x.x/26 port =3D 110 keep = state pass in quick on fxp1 proto tcp from any to x.x.x.x/25 port =3D 110 keep = state ### OK allow IMAPSSL pass in quick on fxp0 proto tcp from any to x.x.x.x/26 port =3D 993 keep = state pass in quick on fxp1 proto tcp from any to x.x.x.x/25 port =3D 993 keep = state ### OK allow POPSSL pass in quick on fxp0 proto tcp from any to x.x.x.x/26 port =3D 995 keep = state pass in quick on fxp1 proto tcp from any to x.x.x.x/25 port =3D 995 keep = state ### OK allow active FTP pass in quick on fxp0 proto tcp from x.x.x.x/25 to x.x.x.x/26 port =3D = 21 keep state pass in quick on fxp1 proto tcp from x.x.x.x/25 to x.x.x.x/25 port =3D = 21 keep state pass in quick on fxp0 proto tcp from x.x.x.x/26 to x.x.x.x/26 port =3D = 21 keep state pass in quick on fxp1 proto tcp from x.x.x.x/26 to x.x.x.x/25 port =3D = 21 keep state ### allow passive FTP (see -U for man ftpd) ### allow port 1024 - 4999 for passive FTP pass in quick on fxp0 proto tcp from x.x.x.x/25 to x.x.x.x/26 port 1024 = >< 4999 keep state ### allow passive FTP (see -U for man ftpd) ### allow port 1024 - 4999 for passive FTP pass in quick on fxp0 proto tcp from x.x.x.x/25 to x.x.x.x/26 port 1024 = >< 4999 keep state pass in quick on fxp1 proto tcp from x.x.x.x/25 to x.x.x.x/25 port 1024 = >< 4999 keep state pass in quick on fxp0 proto tcp from x.x.x.x/26 to x.x.x.x/26 port 1024 = >< 4999 keep state pass in quick on fxp1 proto tcp from x.x.x.x/26 to x.x.x.x/25 port 1024 = >< 4999 keep state block in log quick proto tcp from any to any block in log quick all Somphol. ------=_NextPart_000_0119_01C1E046.0D6A7E20 Content-Type: text/html; charset="windows-874" Content-Transfer-Encoding: quoted-printable
I am running FreeBSD 4.5-Release = on a machine=20 with 2 NICs.  I have setup the IPFILTER (to protect the host) with = the=20 following rules.   It is fine for a few hours or sometimes a = few days,=20 then my machine was misteriously frozen.   I could ping, but = couldn't=20 ssh to the host.   Logging in to the host, I couldn't even do=20 nslookup.  BTW, when the machine froze, the log does show that = packets were=20 blocked heavily.
 
Am I missing something obvious = here?
  
#Tto reread the fule
# /sbin/ipf -Fa = -f=20 /etc/ipf.rules
#
pass in quick on lo0
pass out quick on=20 lo0
 
#### allow pass out
pass out quick = proto tcp all=20 keep state
pass out quick proto udp all keep state
pass out quick = proto=20 icmp all keep state
 
#### OK allow HTTP (web)
pass in = quick on fxp0=20 proto tcp from any to x.x.x.x/26 port =3D 80 keep state
pass in quick = on fxp1=20 proto tcp from any to x.x.x.x/25 port =3D 80 keep state
 
# allow icmp echo request
pass in = quick on fxp0=20 proto icmp from any to any icmp-type 8 keep state
pass in quick on = fxp1 proto=20 icmp from any to any icmp-type 8 keep state
# allow icmp echo = reply
pass=20 in quick on fxp0 proto icmp from any to any icmp-type 0 keep = state
pass in=20 quick on fxp1 proto icmp from any to any icmp-type 0 keep state
# = allow=20 various icmp codes
pass in quick on fxp0 proto icmp from any to any = icmp-type=20 3 keep state
pass in quick on fxp1 proto icmp from any to any = icmp-type 3=20 keep state
# allow time-exceeded
pass in quick on fxp0 proto icmp = from any=20 to any icmp-type 11 keep state
pass in quick on fxp1 proto icmp from = any to=20 any icmp-type 11 keep state
 
### OK allow SSH
pass in quick on = fxp0 proto tcp=20 from any to x.x.x.x/26 port =3D 22 keep state
pass in quick on fxp1 = proto tcp=20 from any to x.x.x.x/25 port =3D 22 keep state
 
### OK allow SMTP
pass in quick on = fxp0 proto=20 tcp from any to x.x.x.x/26 port =3D 25 keep state
pass in quick on = fxp1 proto=20 tcp from any to x.x.x.x/25 port =3D 25 keep state
 
### OK allow IMAP
pass in quick on = fxp0 proto=20 tcp from any to x.x.x.x/26 port =3D 143 keep state
pass in quick on = fxp1 proto=20 tcp from any to x.x.x.x/25 port =3D 143 keep state
 
### OK allow POP3
pass in quick on = fxp0 proto=20 tcp from any to x.x.x.x/26 port =3D 110 keep state
pass in quick on = fxp1 proto=20 tcp from any to x.x.x.x/25 port =3D 110 keep state
 
### OK allow IMAPSSL
pass in quick = on fxp0 proto=20 tcp from any to x.x.x.x/26 port =3D 993 keep state
pass in quick on = fxp1 proto=20 tcp from any to x.x.x.x/25 port =3D 993 keep state
### OK allow = POPSSL
pass=20 in quick on fxp0 proto tcp from any to x.x.x.x/26 port =3D 995 keep = state
pass=20 in quick on fxp1 proto tcp from any to x.x.x.x/25 port =3D 995 keep=20 state
 
### OK allow active FTP
pass in = quick on fxp0=20 proto tcp from x.x.x.x/25 to x.x.x.x/26 port =3D 21 keep state
pass = in quick on=20 fxp1 proto tcp from x.x.x.x/25 to x.x.x.x/25 port =3D 21 keep = state
pass in=20 quick on fxp0 proto tcp from x.x.x.x/26 to x.x.x.x/26 port =3D 21 keep=20 state
pass in quick on fxp1 proto tcp from x.x.x.x/26 to x.x.x.x/25 = port =3D 21=20 keep state
 
### allow passive FTP (see -U for man = ftpd)
###=20 allow port 1024 - 4999 for passive FTP
pass in quick on fxp0 proto = tcp from=20 x.x.x.x/25 to x.x.x.x/26 port 1024 >< 4999 keep state
### allow = passive=20 FTP (see -U for man ftpd)
### allow port 1024 - 4999 for passive = FTP
pass=20 in quick on fxp0 proto tcp from x.x.x.x/25 to x.x.x.x/26 port 1024 = >< 4999=20 keep state
pass in quick on fxp1 proto tcp from x.x.x.x/25 to = x.x.x.x/25 port=20 1024 >< 4999 keep state
pass in quick on fxp0 proto tcp from = x.x.x.x/26=20 to x.x.x.x/26 port 1024 >< 4999 keep state
pass in quick on = fxp1 proto=20 tcp from x.x.x.x/26 to x.x.x.x/25 port 1024 >< 4999 keep=20 state
 
block in log quick proto tcp from any = to=20 any
block in log quick all
Somphol.
 
------=_NextPart_000_0119_01C1E046.0D6A7E20-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message