From owner-freebsd-questions Fri Dec 20 4:28:10 2002 Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D773E37B401 for ; Fri, 20 Dec 2002 04:28:02 -0800 (PST) Received: from web12007.mail.yahoo.com (web12007.mail.yahoo.com [216.136.172.215]) by mx1.FreeBSD.org (Postfix) with SMTP id 2611343EDE for ; Fri, 20 Dec 2002 04:28:02 -0800 (PST) (envelope-from bsd2000au@yahoo.com.au) Message-ID: <20021220122801.46383.qmail@web12007.mail.yahoo.com> Received: from [203.221.152.239] by web12007.mail.yahoo.com via HTTP; Fri, 20 Dec 2002 23:28:01 EST Date: Fri, 20 Dec 2002 23:28:01 +1100 (EST) From: =?iso-8859-1?q?Keith=20Spencer?= Subject: Re: OOPS....Re: ipf -> IPFILTER_DEFAULT_BLOCK ...This is not working as predicted! Help? To: Fernando Gleiser Cc: fbsd In-Reply-To: <20021217195855.V52840-100000@cactus.fi.uba.ar> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG --- Fernando Gleiser wrote: > On Wed, 18 Dec 2002, Keith Spencer wrote: > > > sorry guys the copy paste mucked up on me... > > Here is the full rule set I am using... > > But the questions I sent in my previous mail remain > unanswered. > post the answers and maybe I can tell what's wrong. > > #ifdef WILDGUESS > > if you are using user ppp, the outside interface is > tun0, *not* ed0 > if that is the case, change ed0 into tun0 in the > rules, reload > and tell me if that works > > #endif OK Guys...sorry to be a pain but here goes.... Thanks Keith +++++++++++++IPF.RULES +++++++++++++++++++++ ################################################################# # Outside Interface ################################################################# #---------------------------------------------------------------- # Allow out all TCP, UDP, and ICMP traffic & keep state on it # so that it's allowed back in. # # If you wanted to do egress filtering...here's where you'd do it. # You'd change the lines below so that rather than allowing out any # arbitrary TCP connection, it would only allow out mail, pop3, and http # connections (for example). So, the first line, below, would be # replaced with: # pass out quick on tun0 proto tcp from any to any port = 25 keep state # pass out quick on tun0 proto tcp from any to any port = 110 keep state # pass out quick on tun0 proto tcp from any to any port = 80 keep state # ...and then do the same for the remaining lines so that you allow # only specified protocols/ports 'out' of your network #---------------------------------------------------------------- pass out quick on tun0 proto tcp from any to any keep state pass out quick on tun0 proto udp from any to any keep state pass out quick on tun0 proto icmp from any to any keep state block out quick on tun0 all #----------------------------------------------------------------------- # Block all inbound traffic from non-routable or reserved address spaces #----------------------------------------------------------------------- block in log quick on tun0 from 192.168.0.0/16 to any #RFC 1918 private IP block in log quick on tun0 from 172.16.0.0/12 to any #RFC 1918 private IP block in log quick on tun0 from 10.0.0.0/8 to any #RFC 1918 private IP block in log quick on tun0 from 127.0.0.0/8 to any #loopback block in log quick on tun0 from 0.0.0.0/8 to any #loopback block in log quick on tun0 from 169.254.0.0/16 to any #DHCP auto-config block in log quick on tun0 from 192.0.2.0/24 to any #reserved for doc's block in log quick on tun0 from 204.152.64.0/23 to any #Sun cluster interconnect block in quick on tun0 from 224.0.0.0/3 to any #Class D & E multicast #---------------------------------------------------------------- # Allow bootp traffic in from your ISP's DHCP server only. #---------------------------------------------------------------- #pass in quick on tun0 proto udp from X.X.X.X/32 to any port = 68 keep state #---------------------------------------------------------------- # If you wanted to set up a web server or mail server on your box # (which is outside the scope of this howto), or allow another system # on the Internet to externally SSH into your firewall, you'd want to # uncomment the following lines and modify as appropriate. If you # have other services running that you need to allow external access # to, just add more lines using these as examples. # # If the services are on a box on your internal network (rather than # the firewall itself), you'll have to add both the filter listed below, # plus a redirect rule in your /etc/ipnat.rules file. #---------------------------------------------------------------- pass in quick on tun0 proto tcp from any to any port = 80 flags S keep state keep frags pass in quick on tun0 proto tcp from any to any port = 25 flags S keep state keep frags #pass in quick on tun0 proto tcp from X.X.X.X/32 to any port = 22 flags S keep state keep frags pass in quick on tun0 proto tcp from any to 203.36.104.241 port = 22222 flags S keep state keep frags pass in quick on tun0 proto tcp from any to 203.36.104.241 port = 22 flags S keep state keep frags pass in quick on tun0 proto udp from any to 203.36.104.241 port = 22 keep state pass in quick on tun0 proto tcp from any to any port = 443 flags S keep state keep frags pass in quick on tun0 proto udp from any to any port = 443 keep state pass in quick on tun0 proto tcp from any to 203.36.104.241 port = 3306 flags S keep state keep frags pass in quick on tun0 proto udp from any to 203.36.104.241 port = 3306 keep state #---------------------------------------------------------------- # Block and log all remaining traffic coming into the firewall # - Block TCP with a RST (to make it appear as if the service # isn't listening) # - Block UDP with an ICMP Port Unreachable (to make it appear # as if the service isn't listening) # - Block all remaining traffic the good 'ol fashioned way #---------------------------------------------------------------- block return-rst in log quick on tun0 proto tcp from any to any block return-icmp-as-dest(port-unr) in log quick on tun0 proto udp from any to any block in log quick on tun0 all ################################################################# # Inside Interface ################################################################# #---------------------------------------------------------------- # Allow out all TCP, UDP, and ICMP traffic & keep state #---------------------------------------------------------------- pass out quick on dc0 proto tcp from any to any keep state pass out quick on dc0 proto udp from any to any keep state pass out quick on dc0 proto icmp from any to any keep state block out quick on dc0 all #---------------------------------------------------------------- # Allow in all TCP, UDP, and ICMP traffic & keep state #---------------------------------------------------------------- pass in quick on dc0 proto tcp from any to any keep state pass in quick on dc0 proto udp from any to any keep state pass in quick on dc0 proto icmp from any to any keep state block in quick on dc0 all ################################################################# # Loopback Interface ################################################################# #---------------------------------------------------------------- # Allow everything to/from your loopback interface so you # can ping yourself (e.g. ping localhost) #---------------------------------------------------------------- pass in quick on lo0 all pass out quick on lo0 all +++++++++++IPFSTAT -hio ++++++++++++++++++++ 47 pass out quick on tun0 proto tcp from any to any keep state 2508 pass out quick on tun0 proto udp from any to any keep state 0 pass out quick on tun0 proto icmp from any to any keep state 0 block out quick on tun0 from any to any 0 pass out quick on dc0 proto tcp from any to any keep state 0 pass out quick on dc0 proto udp from any to any keep state 0 pass out quick on dc0 proto icmp from any to any keep state 0 block out quick on dc0 from any to any 15 pass out quick on lo0 from any to any 0 block in log quick on tun0 from 192.168.0.0/16 to any 0 block in log quick on tun0 from 172.16.0.0/12 to any 16 block in log quick on tun0 from 10.0.0.0/8 to any 0 block in log quick on tun0 from 127.0.0.0/8 to any 0 block in log quick on tun0 from 0.0.0.0/8 to any 0 block in log quick on tun0 from 169.254.0.0/16 to any 0 block in log quick on tun0 from 192.0.2.0/24 to any 0 block in log quick on tun0 from 204.152.64.0/23 to any 0 block in quick on tun0 from 224.0.0.0/3 to any 437 pass in quick on tun0 proto tcp from any to any port = 80 flags S/FSRPAU keep state keep frags 35 pass in quick on tun0 proto tcp from any to any port = 25 flags S/FSRPAU keep state keep frags 80 pass in quick on tun0 proto tcp from any to 203.36.104.241/32 port = 22222 flags S/FSRPAU keep state keep frags 1 pass in quick on tun0 proto tcp from any to 203.36.104.241/32 port = 22 flags S/FSRPAU keep state keep frags 0 pass in quick on tun0 proto udp from any to 203.36.104.241/32 port = 22 keep state 16 pass in quick on tun0 proto tcp from any to any port = 443 flags S/FSRPAU keep state keep frags 0 pass in quick on tun0 proto udp from any to any port = 443 keep state 0 pass in quick on tun0 proto tcp from any to 203.36.104.241/32 port = 3306 flags S/FSRPAU keep state keep frags 0 pass in quick on tun0 proto udp from any to 203.36.104.241/32 port = 3306 keep state 330 block return-rst in log quick on tun0 proto tcp from any to any 476 block return-icmp-as-dest(port-unr) in log quick on tun0 proto udp from any to any 0 block in log quick on tun0 from any to any 47 pass in quick on dc0 proto tcp from any to any keep state 2559 pass in quick on dc0 proto udp from any to any keep state 0 pass in quick on dc0 proto icmp from any to any keep state 0 block in quick on dc0 from any to any 15 pass in quick on lo0 from any to any +++++++++++ ifconfig -a ++++++++++++++++++++++++ fxp0: flags=8843 mtu 1500 inet6 fe80::203:47ff:fec9:8f2f%fxp0 prefixlen 64 scopeid 0x1 ether 00:03:47:c9:8f:2f media: Ethernet autoselect (10baseT/UTP) status: active dc0: flags=8843 mtu 1500 inet 10.0.0.1 netmask 0xfffff800 broadcast 10.0.7.255 inet6 fe80::2c0:f0ff:fe57:6de3%dc0 prefixlen 64 scopeid 0x2 inet 203.36.104.241 netmask 0xfffffff0 broadcast 203.36.104.255 ether 00:c0:f0:57:6d:e3 media: Ethernet autoselect (100baseTX ) status: active lp0: flags=8810 mtu 1500 faith0: flags=8002 mtu 1500 lo0: flags=8049 mtu 16384 inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x5 inet 127.0.0.1 netmask 0xff000000 ppp0: flags=8010 mtu 1500 sl0: flags=c010 mtu 552 tun0: flags=8051 mtu 1492 inet 165.228.7.207 --> 165.228.7.1 netmask 0xffffffff Opened by PID 67 http://greetings.yahoo.com.au - Yahoo! Greetings - Send your seasons greetings online this year! To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message