From owner-freebsd-questions  Thu May 16  9: 6:29 2002
Delivered-To: freebsd-questions@freebsd.org
Received: from chicken.orbitel.bg (chicken100.orbitel.bg [195.24.32.21])
	by hub.freebsd.org (Postfix) with SMTP id A1B4E37B409
	for <freebsd-questions@freebsd.org>; Thu, 16 May 2002 09:06:08 -0700 (PDT)
Received: (qmail 28612 invoked from network); 16 May 2002 16:06:05 -0000
Received: from unknown (HELO procreditbank.com) (212.95.171.210)
  by chicken.orbitel.bg with SMTP; 16 May 2002 16:06:05 -0000
Received: from itaush [172.16.248.203]
	by Proxy+; Thu, 16 May 2002 18:21:07 +0300
	for multiple recipients
From: "Ivailo Tanusheff" <I.Tanusheff@procreditbank.com>
To: "IPFilter List" <ipfilter@coombs.anu.edu.au>,
	"FreeBSD Questions" <freebsd-questions@freebsd.org>
Subject: IPF blocking
Date: Thu, 16 May 2002 18:21:07 +0300
Message-ID: <006b01c1fced$4d47bbc0$cbf810ac@sof.procreditbank.bg>
MIME-Version: 1.0
Content-Type: multipart/mixed;
	boundary="----=_NextPart_000_006C_01C1FD06.7294F3C0"
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook, Build 10.0.2627
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
Importance: Normal
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-questions.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-questions>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-questions>
X-Loop: FreeBSD.ORG

This is a multi-part message in MIME format.

------=_NextPart_000_006C_01C1FD06.7294F3C0
Content-Type: text/plain;
	charset="us-ascii"
Content-Transfer-Encoding: 7bit

Hi,

I'd set up a configuration as follows:

----<Internet>-----<Nat-ing modem>------<Firewall FreeBSD
Box>------<Privite network>
                       192.168.0.1          xl0 = 192.168.0.2  
                                            xl1 = 172.16.0.133


My ipf log confuses me with indicating some packets are blocked, but it
seems to me that they must be part of established connection, which keep
state statement is time out. But I'm not sure. Where may I read some
more information about logged tcp flags and can you help me fix my
configuration. 
On the FreeBSD box I'm running IPF, IPNat, Squid. 

My configuration is:

Ipf.rules:

# Default to block
#block  in      all

#Accounting rules
count   in      on xl0 from any to any
count   out     on xl0 from 172.16.248.132 to any
count   out     on xl0 from any to any

#Allow lo
pass    in      quick on lo0 all
pass    out     quick on lo0 all

#Block spoofed
#block  in      log quick on xl0 head 10
block   in      log quick on xl0 from 172.16.0.0/16 to any
block   in      log quick on xl0 from 127.0.0.0/8 to any

pass    in      quick on xl0 from any to 192.168.0.255

#Blocked ident
block return-rst in quick on xl0 proto tcp from any to any port = 113

#Allow icmp data
pass    in      quick on xl0 proto icmp from any to any icmp-type 0
pass    in      quick on xl0 proto icmp from any to any icmp-type 11
block   in      log quick on xl0 proto icmp from any to any
pass    out     quick on xl0 proto icmp from any to any keep state 

#Allow xl0 traffic
pass    in      quick on xl0 proto tcp from any to 192.168.0.2/32 port =
22 flags S keep state keep frags
block   in      log quick on xl0 all
pass   out     quick on xl0 proto tcp from any to any keep state keep
frags
pass    out     quick on xl0 proto udp from any to any keep state
block   out     log quick on xl0 all





Ipnat.rules:

rdr     xl1 0.0.0.0/0 port 80                   ->      192.168.0.2 port
3128 tcp/udp
map     xl0 172.16.0.0/16                       ->      192.168.0.2/32
proxy port ftp ftp/tcp
map     xl0 192.168.0.2/32                      ->      192.168.0.2/32
proxy port ftp ftp/tcp
map     xl0 172.16.0.0/16                       ->      192.168.0.2/32
portmap tcp/udp auto
map     xl0 172.16.0.0/16                       ->      0/32



Part of my log:

16/05/2002 18:03:51.444189 xl0 @0:10 b 216.239.51.101,80 ->
192.168.0.2,2468 PR tcp len 20 60 -AS IN
16/05/2002 18:03:56.566281 xl0 @0:10 b 152.163.226.185,80 ->
192.168.0.2,2472 PR tcp len 20 44 -AS IN
16/05/2002 18:04:14.414834 xl0 @0:10 b 216.239.51.101,80 ->
192.168.0.2,2483 PR tcp len 20 60 -AS IN
16/05/2002 18:04:36.201219 xl0 @0:10 b 152.163.226.185,80 ->
192.168.0.2,2472 PR tcp len 20 40 -AF IN
16/05/2002 18:04:36.790868 xl0 @0:10 b 152.163.226.185,80 ->
192.168.0.2,2472 PR tcp len 20 40 -AF IN
16/05/2002 18:04:37.043020 xl0 @0:10 b 205.188.250.25,80 ->
192.168.0.2,2268 PR tcp len 20 40 -AF IN
16/05/2002 18:04:37.428832 3x xl0 @0:10 b 152.163.226.185,80 ->
192.168.0.2,2472 PR tcp len 20 40 -AF IN
16/05/2002 18:04:39.388519 xl0 @0:10 b 152.163.226.185,80 ->
192.168.0.2,2472 PR tcp len 20 40 -AF IN
16/05/2002 18:04:41.322101 xl0 @0:10 b 205.188.250.25,80 ->
192.168.0.2,2268 PR tcp len 20 40 -AF IN
16/05/2002 18:04:50.282449 xl0 @0:10 b 205.188.250.25,80 ->
192.168.0.2,2268 PR tcp len 20 40 -AF IN
16/05/2002 18:04:57.175856 xl0 @0:10 b 152.163.226.185,80 ->
192.168.0.2,2472 PR tcp len 20 40 -AF IN
16/05/2002 18:05:03.340217 xl0 @0:10 b 208.215.236.71,80 ->
192.168.0.2,2547 PR tcp len 20 40 -A IN
16/05/2002 18:06:42.233714 xl0 @0:10 b 205.188.248.89,80 ->
192.168.0.2,2631 PR tcp len 20 52 -A IN
16/05/2002 18:12:52.891653 xl0 @0:10 b 216.136.226.107,80 ->
192.168.0.2,2914 PR tcp len 20 40 -A IN


su-2.05a# uname -a
FreeBSD gate 4.6-PRERELEASE FreeBSD 4.6-PRERELEASE #1: Fri May 10
13:46:09 EEST 2002     root@gate:/usr/obj/usr/src/sys/MYKERNEL  i386




Thanks in advantage,

Ivailo Tanusheff
System Administrator and Security Advisor
ProCredit Bank


------=_NextPart_000_006C_01C1FD06.7294F3C0
Content-Type: text/x-vcard;
	name="Ivailo Tanusheff.vcf"
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
	filename="Ivailo Tanusheff.vcf"

BEGIN:VCARD
VERSION:2.1
N:Tanusheff;Ivailo
FN:Ivailo Tanusheff
ORG:ProCredit Bank
TITLE:System administrator and Security advisor
TEL;WORK;VOICE:+359 2 9217161
EMAIL;PREF;INTERNET:I.Tanusheff@prokreditbank.com
REV:20020510T125145Z
END:VCARD

------=_NextPart_000_006C_01C1FD06.7294F3C0--



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message