From owner-freebsd-questions Wed Apr 3 5:12:24 2002 Delivered-To: freebsd-questions@freebsd.org Received: from mail.liwing.de (mail.liwing.de [213.70.188.162]) by hub.freebsd.org (Postfix) with ESMTP id BDFE537B400 for ; Wed, 3 Apr 2002 05:12:10 -0800 (PST) Received: (qmail 46226 invoked from network); 3 Apr 2002 13:22:31 -0000 Received: from stingray.liwing.de (HELO liwing.de) ([213.70.188.164]) (envelope-sender ) by mail.liwing.de (qmail-ldap-1.03) with SMTP for ; 3 Apr 2002 13:22:31 -0000 Message-ID: <3CAAFF66.B8B1FC4F@liwing.de> Date: Wed, 03 Apr 2002 15:11:02 +0200 From: Jens Rehsack Organization: LiWing IT-Services X-Mailer: Mozilla 4.78 [en] (Windows NT 5.0; U) X-Accept-Language: en MIME-Version: 1.0 To: Ramses van Pinxteren Cc: freebsd-questions Subject: Re: IPF and Nat question References: <395ABDBC0952D211BB2A00104BB3F93906A1ACE1@nl-amv-mail03.cmg.nl> Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Ramses van Pinxteren wrote: > > Hello question solvers around the world, > > I have a problem with my firewall... I think (suspect) there is something > wrong with the ordening of the rules but I am nog sure. can you pease take a > look at it and shoot me for the most stupid errors ever made?? > > The problem I have is when I load the firewall Nat will not work anymore :-( > does anyone have a suggesion?? Does NAT stops working (a) after every reboot or (b) after reloading firewall rules? if a) send please your NAT rules and (if required) your other ip-adresses. if b) please reload NAT after reload firewall. Maybe your ifconfig -a output maybe relevant???? > ############################# > # > # Start firewall by blocking all incomming traffic > # > ############################# > > block in on xl0 all > > block in quick on xl0 proto icmp from any to 80.252.225.121/32 icmp-type > 0 > block in quick on xl0 proto icmp from any to 80.252.225.121/32 icmp-type > 11 > block in quick on xl0 proto icmp from any to any doesn't make sense block in log quick could make sense for a special rule, but block in all is clear, isn't it? > # The pass rules... > > #allow in FTP > pass in quick on xl0 proto tcp from any to 80.242.225.121/32 port = 20 > flags S keep state keep frags > pass in quick on xl0 proto tcp from any to 80.242.225.121/32 port = 21 > flags S keep state keep frags > > #allow in SSH > pass in quick on xl0 proto tcp from any to 80.242.225.121/32 port = 22 > flags S keep state keep frags > > #allow in SMTP > pass in quick on xl0 proto tcp from any to 80.242.225.121/32 port = 25 > flags S keep state keep frags > > #allow in DNS > pass in quick on xl0 proto tcp from any to 80.242.225.121/32 port = 53 > flags S keep state keep frags > pass in quick on xl0 proto udp from any to 80.242.225.121/32 port = 53 > flags S keep state keep frags > > #allow in WEB > pass in quick on xl0 proto tcp from any to 80.242.225.121/32 port = 80 > flags S keep state keep frags > > #allow in CHAT > pass in quick on xl0 proto tcp from any to 80.242.225.121/32 port = 8000 > flags S keep state keep frags > > block out on xl0 all > > # Only allow TCP, UDP and ICMP traffic out > pass out quick on xl0 proto tcp from 80.242.225.121/32 to any keep > state > pass out quick on xl0 proto udp from 80.242.225.121/32 to any keep > state > pass out quick on xl0 proto icmp from 80.242.225.121/32 to any keep > state > > #internal interface > pass in quick on rl0 from any to any > pass out quick on rl0 from any to any > > #Local loopback > pass in quick on lo0 from any to any > pass out quick on lo0 from any to any You're rules looking as they're correct. Little bit paranoid content, but I cannot see any error. > I have compiled my kernel with default blocking enabled. As it should be done :-) -- L i W W W i Jens Rehsack L W W W L i W W W W i nnn gggg LiWing IT-Services L i W W W W i n n g g LLLL i W W i n n g g Friesenstraße 2 gggg 06112 Halle g g g Tel.: +49 - 3 45 - 5 17 05 91 ggg e-Mail: Fax: +49 - 3 45 - 5 17 05 92 http://www.liwing.de/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message