From owner-freebsd-questions  Fri Mar 24  9:38: 7 2000
Delivered-To: freebsd-questions@freebsd.org
Received: from xira.demon.co.uk (s-hws21.dur.ac.uk [129.234.55.21])
	by hub.freebsd.org (Postfix) with ESMTP id 169B837B8D3
	for <questions@freebsd.org>; Fri, 24 Mar 2000 09:38:02 -0800 (PST)
	(envelope-from kami@xira.demon.co.uk)
Received: from kami by xira.demon.co.uk with local (Exim 3.13 #1)
	id 12YY25-0000Ih-00
	for questions@freebsd.org; Fri, 24 Mar 2000 17:38:01 +0000
Date: Fri, 24 Mar 2000 17:38:01 +0000
From: Tim Bond <t.m.bond@durham.ac.uk>
To: questions@freebsd.org
Subject: Question on ipf behaviour
Message-ID: <20000324173800.A1145@xira.demon.co.uk>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Mailer: Mutt 1.0.1i
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

Hullo,

I would be grateful for advice on ipf, having read the ipf(8) manpage and the
IP Filter webpage at http://coombs.anu.edu.au/~avalon/ip-filter.html and not
found an answer to my problem. I've only just subscribed to this list, and
whilst I've tried to search the archives for anything pertinent I may have
missed a relevant thread.

I'm running FreeBSD 4.0-RELEASE on i386 architecture, ftp installed from
ftp2.uk.freebsd.org yesterday evening, and have added:

options         INET
pseudo-device   ether
device ed0 at isa? port 0x280 irq 10 iomem 0xd8000
options         IPFILTER

to my kernel configuration, wanting to operate IP Filter on an ethernet
interface with an NE2000 card. I compiled, installed, and booted to this
kernel, after which I verified that networking was functioning and had the
following output from netstat -i:

Name  Mtu   Network       Address            Ipkts Ierrs    Opkts Oerrs  Coll
ed0   1500  <Link#1>    **:**:**:**:**:**    63474     0     1955     0    28
ed0   1500  ***.***       *******.***.**.    63474     0     1955     0    28
ppp0* 1500  <Link#2>                             0     0        0     0     0
lo0   16384 <Link#3>                           510     0      510     0     0
lo0   16384 127           localhost            510     0      510     0     0

I then created a simple ruleset in ipf.rules as:

# cat /etc/ipf.rules
pass out all
pass in all
#

and loaded these rules into the inactive set with:

# ipf -I
# ipf -Fa -vf /etc/ipf.rules
[pass out all]
pass out from any to any
[pass in all]
pass in from any to any
#

Verifying that packets still passed in and out over ed0 unblocked (they did) I
changed rulesets with ipf -s and checked transport over ed0 again. According to
ipfstat, packets were going out fine but being blocked on the way back in.
Changing rulesets again with ipf -s, packets were no longer blocked.

This suggested to me that employing the ruleset in /etc/ipf.rules which stated
'pass in all' was having the effect I would expect from 'block in all'. Asking
around friends came up with no solutions, so I would be grateful if anyone
could point me in the direction of what I'm doing wrong. I'm aiming for a
simple ruleset to block all but a couple of privileged ports from all but a few
'trusted' hosts, but since the simplest ruleset seemed to work so badly in
apparent contradiction to documentation I'm not sure how to write a successful
ruleset.

Thanks in advance,

	Tim


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message