From owner-freebsd-questions@FreeBSD.ORG Sun Dec 10 23:11:05 2006 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id A524416A403 for ; Sun, 10 Dec 2006 23:11:05 +0000 (UTC) (envelope-from nwatson@nwatson.org) Received: from cirrus.ash.nwatson.org (c-69-244-235-114.hsd1.va.comcast.net [69.244.235.114]) by mx1.FreeBSD.org (Postfix) with ESMTP id 341C643CA3 for ; Sun, 10 Dec 2006 23:09:43 +0000 (GMT) (envelope-from nwatson@nwatson.org) Received: from localhost (localhost.localdomain [127.0.0.1]) by cirrus.ash.nwatson.org (Postfix) with ESMTP id 3603A154DA9 for ; Sun, 10 Dec 2006 18:11:30 -0500 (EST) X-DSPAM-Result: Innocent X-DSPAM-Processed: Sun Dec 10 18:11:27 2006 X-DSPAM-Confidence: 0.9996 X-DSPAM-Probability: 0.0000 X-DSPAM-Signature: 457c941f213251159517313 X-DSPAM-Factors: 27, X-Virus-Scanned: amavisd-new at X-Spam-Score: -0.761 X-Spam-Level: X-Spam-Status: No, score=-0.761 tagged_above=-10 required=6.6 tests=[ALL_TRUSTED=-1.44, AWL=0.779, DSPAM_HAM=-0.1] Received: from cirrus.ash.nwatson.org ([127.0.0.1]) by localhost (cirrus.ash.nwatson.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id U5+L19-qtpGg for ; Sun, 10 Dec 2006 18:11:27 -0500 (EST) Received: from cirrus.ash.nwatson.org (cirrus.ash.nwatson.org [10.0.0.2]) by cirrus.ash.nwatson.org (Postfix) with ESMTP id B9F1E154DA6 for ; Sun, 10 Dec 2006 18:11:27 -0500 (EST) Message-ID: <3083783.171165792287615.JavaMail.root@cirrus> Date: Sun, 10 Dec 2006 18:11:27 -0500 (EST) From: Nathan Watson To: freebsd-questions MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit Subject: ipf stateful rules X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 10 Dec 2006 23:11:05 -0000 Hello, I'm running FreeBSD 6.1 with IPF/IPNAT, and I'm having a problem getting my rules to work. The problem is mainly that I want no restrictions on outbound traffic, and I'm not sure how to apply stateful filtering to that. I have the following rule (hme0 is my external interface): pass out quick on hme0 all If I change that to "pass out quick on hme0 all keep state," will that only open the port that the outbound packet was on? Are there any problems that can arise from allowing all outbound traffic? At the moment, my ruleset doesn't pass packets at all... I'm just having lots of troubles here. My ruleset is below, and everything seems to be caught by the last block all rule. Any suggestions? Thanks, nwatson # no restrictions on internal LAN pass out quick on hme1 all pass in quick on hme1 all # no restrictions on loopback pass out quick on lo0 all pass in quick on lo0 all # no outbound restrictions pass out quick on hme0 all keep state # block all from non-routable or reserved address space block in quick on hme0 from 172.16.0.0/12 to any # private block in quick on hme0 from 10.0.0.0/8 to any # private block in quick on hme0 from 127.0.0.0/8 to any # loopback block in quick on hme0 from 0.0.0.0/8 to any # loopback block in quick on hme0 from 169.254.0.0/16 to any # dhcp auto-config block in quick on hme0 from 192.0.2.0/24 to any # reserved for docs block in quick on hme0 from 204.152.64.0/23 to any # sun cluster interconnect block in quick on hme0 from 224.0.0.0/3 to any # class d & e multicast # inbound blocks block in quick on hme0 all with frags # frags block in quick on hme0 proto tcp all with short # short tcp packets block in quick on hme0 all with opt lsrr # source routed packets block in quick on hme0 all with opt ssrr # source routed packets block in log first quick on hme0 proto tcp from any to any flags FUP # nmap os fingerprint attempts, log block in quick on hme0 all with ipopts # anything with special options block in quick on hme0 proto icmp all icmp-type 8 # public pings block in log first quick on hme0 proto tcp/udp from any to any port = 137 # netbios name block in log first quick on hme0 proto tcp/udp from any to any port = 138 # netbios datagram block in log first quick on hme0 proto tcp/udp from any to any port = 139 # netbios session block in log first quick on hme0 proto tcp/udp from any to any port = 81 # hosts2 name server requests # allow these pass in quick on hme0 proto tcp from any to any port = 22 flags S keep state # ssh pass in quick on hme0 proto tcp from any to any port = 25 flags S keep state # smtp pass in quick on hme0 proto tcp from any to any port = 236 flags S keep state # http pass in quick on hme0 proto tcp from any to any port = 237 flags S keep state # zimbra https pass in quick on hme0 proto tcp from any to any port = 113 flags S keep state # ident pass in quick on hme0 proto tcp from any to any port 5800 >< 5900 flags S keep state # vnc pass in quick on hme0 proto tcp/udp from any to any port 6881 >< 6889 keep state # bittorrent pass in quick on hme0 proto tcp from any to any port = 7071 flags S keep state # zimbra admin https # block, log all remaining traffic block in log first quick on hme0