Date: Thu, 1 Mar 2007 08:53:11 -0500 From: "Don Munyak" <don.munyak@gmail.com> To: "FreeBSD Questions" <freebsd-questions@freebsd.org> Subject: IPF (ftp - pkg_add) help requested Message-ID: <6207f7d90703010553t745460aap9cdc3f8a03ffaf69@mail.gmail.com>
next in thread | raw e-mail | index | archive | help
I am building a FreeBSD box to function as a FAMP server (LAMP) and
hopefully replace our existing mail server. I am having an issue with
IPF that I can't seem to figure out.
*** When IPF is enabled, I can't run # pkg_add -r <package name>.
{...snip from local console..}
p0069# pkg_add -rv bash
looking up ftp.freebsd.org
connecting to ftp.freebsd.org:21
setting passive mode
opening data connection
Error: FTP Unable to get
ftp://ftp.freebsd.org/pub/FreeBSD/ports/i386/packages-6.1-release/Latest/bash.tbz:
Network is unreachable
pkg_add: unable to fetch
'ftp://ftp.freebsd.org/pub/FreeBSD/ports/i386/packages-6.1-release/Latest/bash.tbz'
by URL
pkg_add: 1 package addition's) failed
{...end-snip..}
*** When I disable ipf -D, all works fine.
IPF was compiled in the kernel when I did a buildworld.
p0069# uname -a
FreeBSD p0069.bm.local 6.1-RELEASE-p12 FreeBSD 6.1-RELEASE-p12 #0: Thu
Feb 8 13:55:26 EST 2007
don@p0069.bm.local:/usr/obj/usr/src/sys/WEBSERVER i386
p0069#
When I issue ipfstat -ho, after pkg_add -r, the following lines increment
- pass out quick on em0 proto tcp from any to any port = 21 flags S keep state
- pass out quick on em0 proto udp from any to any port = 53 keep state
- block out log first quick on em0 all
# ----------
# /etc/ipf.rules
# logged to /var/log/firewall.log
# 02/28/2007
# ----------
# ------------------
# EGRESS filtering
# ------------------
# No restriction on Loopback Adapter
pass in quick on lo0 all
pass out quick on lo0 all
# DHCP Bootp
# pass out quick on em0 proto udp from any to any port = 67 keep state
# pass out quick on em0 proto udp from any to any port = 68 keep state
# ICMP
pass out quick on em0 proto icmp from any to any keep state
# Allow out http
pass out quick on em0 proto tcp from any to any port = 80 flags S keep state
pass out quick on em0 proto tcp from any to any port = 443 flags S keep state
# Allow ftp out
pass out quick on em0 proto tcp from any to any port = 20 flags S keep state
pass out quick on em0 proto tcp from any to any port = 21 flags S keep state
# Allow mail out
pass out quick on em0 proto tcp from any to any port = 110 flags S keep state
pass out quick on em0 proto tcp from any to any port = 143 flags S keep state
pass out quick on em0 proto tcp from any to any port = 25 flags S keep state
# Allow SSH Out
pass out quick on em0 proto tcp from any to any port = 22 flags S keep state
# Allow DNS
pass out quick on em0 proto udp from any to any port = 53 keep state
pass out quick on em0 proto tcp from any to any port = 53 flags S keep state
# Allow CVSUP
pass out quick on em0 proto tcp from any to any port = 5999 flags S keep state
# Keeping time
pass out quick on em0 proto tcp from any to any port = 37 flags S keep state
pass out quick on em0 proto tcp from any to any port = 123 flags S keep state
# Allow whois
pass out quick on em0 proto tcp from any to any port = 43 flags S keep state
# Razor & Spamassasin
# more later
# Block and Log the first occurance of everything else
block out log first quick on em0 all
# -------------------------
# INGRESS Filtering
# ------------------------
# Block all inbound traffic from non-routable or reserved networks
# block in quick on em0 from 192.168.0.0/16 to any
block in quick on em0 from 172.16.0.0/12 to any
block in quick on em0 from 10.0.0.0/8 to any
block in quick on em0 from 127.0.0.0/8 to any
block in quick on em0 from 0.0.0.0/8 to any
block in quick on em0 from 169.254.0.0/16 to any
# block in quick on em0 from 192.0.2.0/24 to any
block in quick on em0 from 204.153.64.0/23 to any
block in quick on em0 from 224.0.0.0/3 to any
# Block in Nasties
# stuff I don't want logged
block in quick on em0 proto icmp all icmp-type 8
block in quick on em0 all with frags
block in quick on em0 all with ipopts
block in quick on em0 all with short
# block return-rst in quick on em0 proto tcp all flags FUP
# block return-rst in quick on em0 proto tcp from any to any
# block return-icmp-as-digest(port-unr) in quick on em0 proto udp from
any to any
# Block all Netbios server. 137=name, 138=datagram, 139=session
block in log first quick on em0 proto tcp/udp from any to any port = 137
block in log first quick on em0 proto tcp/udp from any to any port = 138
block in log first quick on em0 proto tcp/udp from any to any port = 139
block in log first quick on em0 proto tcp/udp from any to any port = 81
# Allow in http/https
pass in quick on em0 proto tcp from any to any port = 80 flags S keep state
pass in quick on em0 proto tcp from any to any port = 443 flags S keep state
# allow incoming SSH
pass in quick on em0 proto tcp from any to any port = 22 flags S keep state
# SMTP/POP/IMAP
pass in quick on em0 proto tcp from any to any port = 25 flags S keep state
pass in quick on em0 proto tcp from any to any port = 110 flags S keep state
pass in quick on em0 proto tcp from any to any port = 143 flags S keep state
# Anit-Virus
# more later
# All the rest
block in log first quick on em0 all
# --------- EOF ------------
TIA,
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?6207f7d90703010553t745460aap9cdc3f8a03ffaf69>