From owner-freebsd-questions@FreeBSD.ORG  Wed Aug 13 13:59:19 2003
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 8945A37B401
	for <freebsd-questions@freebsd.org>;
	Wed, 13 Aug 2003 13:59:19 -0700 (PDT)
Received: from glatton.cnchost.com (glatton.cnchost.com [207.155.248.47])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 1B3FE43FB1
	for <freebsd-questions@freebsd.org>;
	Wed, 13 Aug 2003 13:59:19 -0700 (PDT)
	(envelope-from mwoodson@sricrm.com)
Received: from squelcher.redlands.sricrm.com (bdsl.66.14.215.39.gte.net
	[66.14.215.39])	by glatton.cnchost.com
	id QAA13779; Wed, 13 Aug 2003 16:59:10 -0400 (EDT)
	[ConcentricHost SMTP Relay 1.15]
Errors-To: <mwoodson@sricrm.com>
From: Mark Woodson <mwoodson@sricrm.com>
Organization: Statistical Research, Inc.
To: <darryl@osborne-ind.com>
Date: Wed, 13 Aug 2003 14:00:52 -0700
User-Agent: KMail/1.5.3
References: <005201c361d4$08aaacf0$0701a8c0@darryl>
In-Reply-To: <005201c361d4$08aaacf0$0701a8c0@darryl>
MIME-Version: 1.0
Content-Type: text/plain;
  charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
Message-Id: <200308131400.52471.mwoodson@sricrm.com>
cc: freebsd-questions@freebsd.org
Subject: Re: Blocking RIP requests on firewall
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 13 Aug 2003 20:59:19 -0000

(top quoting make following threads difficult)
On Wednesday 13 August 2003 12:49 pm, Darryl Hoar wrote:
> ipfstat -in shows:
>
> @1 pass in quick on xl0 proto udp from 10.0.0.1/32 to any port = 68 keep
> state
> @2 block return-rst in log quick on xl0 proto tcp from any to any
> @3 block return-icmp-as-dest(port-unr) in log quick on xl0 proto udp from
> any to any

This line is blocking the router messages.  Put the rule above it in the list 
and that should take care of it.  That message would seem to be in effect 
just blocking any udp traffic in on that interface.  I'm not sure that the 
rule is working like you expect it to.  Not sure how to fix it, but I don't 
think icmp port-unreach's come in as udp packets.

> @4 block in quick on xl0 proto udp from 10.0.0.1/32 to any port = 520
> @5 block in log quick on xl0 from any to any
> @6 pass in quick on xl1 proto tcp from any to any flags S/FSRPAU
> @7 pass in quick on xl1 proto udp from any to any keep state
> @8 pass in quick on xl1 proto icmp from any to any keep state
> @9 block in quick on xl1 from any to any
> @10 pass in quick on lo0 from any to any
>
> I don't get it .  the log entries seem to be from rip, but its logging
> at rule 3.

If you ignore the reutnr-icmp-as-dest(port-unr) it make total sense, since it 
is denying any udp from any address coming in on xl0.

-Mark