From owner-freebsd-questions@FreeBSD.ORG Wed Feb 15 16:23:40 2006 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 263AB16A420 for ; Wed, 15 Feb 2006 16:23:40 +0000 (GMT) (envelope-from keramida@ceid.upatras.gr) Received: from igloo.linux.gr (igloo.linux.gr [62.1.205.36]) by mx1.FreeBSD.org (Postfix) with ESMTP id 48F1B43D53 for ; Wed, 15 Feb 2006 16:23:39 +0000 (GMT) (envelope-from keramida@ceid.upatras.gr) Received: from flame.pc (aris.bedc.ondsl.gr [62.103.39.226]) (authenticated bits=128) by igloo.linux.gr (8.13.5/8.13.5/Debian-3) with ESMTP id k1FGND4h010024 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Wed, 15 Feb 2006 18:23:14 +0200 Received: from flame.pc (flame [127.0.0.1]) by flame.pc (8.13.4/8.13.4) with ESMTP id k1FGN8tm023578; Wed, 15 Feb 2006 16:23:08 GMT (envelope-from keramida@ceid.upatras.gr) Received: (from keramida@localhost) by flame.pc (8.13.4/8.13.4/Submit) id k1FGN70C023577; Wed, 15 Feb 2006 18:23:08 +0200 (EET) (envelope-from keramida@ceid.upatras.gr) Resent-From: keramida@ceid.upatras.gr Resent-Date: Wed, 15 Feb 2006 18:23:07 +0200 Resent-Message-ID: <20060215162307.GA23575@flame.pc> Resent-To: Erik Norgaard , Maxim Vetrov , fbsd_user@a1poweruser.com, freebsd-questions@freebsd.org, chris@i13i.com Date: Wed, 15 Feb 2006 18:12:57 +0200 From: Giorgos Keramidas To: Erik Norgaard Message-ID: <20060215161257.GC23414@flame.pc> References: <43F3B343.5070802@mail.ru> <43F34782.60300@locolomo.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <43F34782.60300@locolomo.org> X-Hellug-MailScanner: Found to be clean X-Hellug-MailScanner-SpamCheck: not spam, SpamAssassin (score=-3.343, required 5, autolearn=not spam, ALL_TRUSTED -1.80, AWL 0.86, BAYES_00 -2.60, DNS_FROM_RFC_ABUSE 0.20) X-Hellug-MailScanner-From: keramida@ceid.upatras.gr Cc: fbsd_user@a1poweruser.com, Maxim Vetrov , chris@i13i.com, freebsd-questions@freebsd.org Subject: Re: IPFILTER rule error X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 15 Feb 2006 16:23:40 -0000 On 2006-02-15 16:23, Erik Norgaard wrote: > Maxim Vetrov wrote: > >################################################################################ > ># Internal interface #1 - rl0 (10.0.1.0/29) > ># > >################################################################################ > > > >#%%%%%%%%%%%%%%%%% Block-and-log everything that is not allowed explicitly > >%%%%% > >block in log on rl0 all head 20 > >block out log on rl0 all head 25 > >#%%%%%%%%%%%%%%%%% Allow Sun RPC incoming calls > >%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% > >pass in quick on rl0 \ > > proto tcp/udp from any to any port = sunrpc keep state group 20 > >pass in quick on rl0 \ > > proto tcp/udp from any to any port = 717 keep state group 20 > ># the next line raise the error when uncommented > >#pass out quick on rl0 \ > ># proto udp from any to any port = 111 keep state group 20 > > I think someone else already pointed at this: You try to add a rule for > outbound traffic to the inbound group in the offending line. Try correct > to group 25. That's true. I did post the relevant message: Date: Tue, 14 Feb 2006 17:13:33 +0200 From: Giorgos Keramidas Subject: Re: IPFILTER rule error To: Maxim Vetrov Cc: norgaard@locolomo.org, chris@i13i.com [...] Note that you have only set up a group numbered '25' for outgoing traffic, but then attempt to add a rule to an outgoing group of '20'. This is the cause of the error you're seeing. This ruleset should work fine: # block in log on rl0 all head 20 # block out log on rl0 all head 25 # # pass in quick on rl0 \ # proto tcp/udp from any to any port = sunrpc keep state group 20 # pass in quick on rl0 \ # proto tcp/udp from any to any port = 717 keep state group 20 # pass out quick on rl0 \ # proto udp from any to any port = 111 keep state group 25 [...]