From owner-freebsd-questions@FreeBSD.ORG Sun Aug 17 15:29:48 2003 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5EDB337B401 for ; Sun, 17 Aug 2003 15:29:48 -0700 (PDT) Received: from relay.pair.com (relay.pair.com [209.68.1.20]) by mx1.FreeBSD.org (Postfix) with SMTP id 854AF43F3F for ; Sun, 17 Aug 2003 15:29:47 -0700 (PDT) (envelope-from mwoodson@sricrm.com) Received: (qmail 79329 invoked from network); 17 Aug 2003 22:29:45 -0000 Received: from adsl-67-119-136-12.dsl.lsan03.pacbell.net (HELO xp.sricrm.com) (67.119.136.12) by relay.pair.com with SMTP; 17 Aug 2003 22:29:45 -0000 X-pair-Authenticated: 67.119.136.12 Message-Id: <5.2.1.1.0.20030817143515.01904f90@pop3.sricrm.com> X-Sender: mwoodson@sricrm.com@pop3.sricrm.com (Unverified) X-Mailer: QUALCOMM Windows Eudora Version 5.2.1 Date: Sun, 17 Aug 2003 15:29:42 -0700 To: "geek" , From: Mark Woodson In-Reply-To: <2305CFC39C15AA4896E06E5C91C509EF03743862@VS2.hdi.tvcabo> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Subject: Re: [JunkMail] IPF & DHCP request X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 17 Aug 2003 22:29:48 -0000 At 09:29 PM 8/17/2003 +0100, geek wrote: >Hey guys, can u please post (who have) rules with DHCP involved?! because, >i'm in troube, my firewall doesnt work because because my ipf.rules doesnt >work and i dont know why!! > >When i put in rules "pass in/out all" i have acess to the internet, >otherwise, with my rules i dont, and i have change them so many times, and >they didnt work anyway, if anyone can help me: > >block in log all >block out log all This should be at the end. It's organizationally easiest if you break it up into by interface. I think is overly restrictive additionally. >pass in quick on lo0 all >pass out quick on lo0 all > >pass in quick on ep0 all >pass out quick on ep0 all > > >#Allow internal traffic to outside world >pass out quick on ep1 proto tcp all keep state >pass out quick on ep1 proto udp all keep stateuic >pass out quick on ep1 proto icmp all keep state > > >#Allow traffic from outside >#DNS >pass in quick on ep1 proto udp from any to any port = 53 keep state this really isn't necessary. You've allowed responses to queries by the pass out on the interface above. >#DHC# [dhclient] >pass in quick on ep1 proto udp from any to any port = 68 keep state keep >fragsP keep frags is really unnecessary. I'd recommend the howto at this address. http://www.schlacter.net/public/FreeBSD-STABLE_and_IPFILTER.html -Mark