From owner-freebsd-stable@FreeBSD.ORG  Tue Sep 30 04:23:26 2003
Return-Path: <owner-freebsd-stable@FreeBSD.ORG>
Delivered-To: freebsd-stable@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id ABCD316A4B3
	for <freebsd-stable@freebsd.org>;
	Tue, 30 Sep 2003 04:23:26 -0700 (PDT)
Received: from web41204.mail.yahoo.com (web41204.mail.yahoo.com
	[66.218.93.37])	by mx1.FreeBSD.org (Postfix) with SMTP id B95614400E
	for <freebsd-stable@freebsd.org>;
	Tue, 30 Sep 2003 04:23:25 -0700 (PDT)
	(envelope-from e_chelon@yahoo.com)
Message-ID: <20030930112325.48361.qmail@web41204.mail.yahoo.com>
Received: from [218.102.23.28] by web41204.mail.yahoo.com via HTTP;
	Tue, 30 Sep 2003 04:23:25 PDT
Date: Tue, 30 Sep 2003 04:23:25 -0700 (PDT)
From: echelon <e_chelon@yahoo.com>
To: Darren Reed <avalon@caligula.anu.edu.au>
In-Reply-To: <200309300349.h8U3nosJ005713@caligula.anu.edu.au>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
cc: freebsd-security@freebsd.org
cc: freebsd-stable@freebsd.org
Subject: Re: IPFILTER_DEFAULT_BLOCK & No route to host
X-BeenThere: freebsd-stable@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Production branch of FreeBSD source code
	<freebsd-stable.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-stable>,
	<mailto:freebsd-stable-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-stable>
List-Post: <mailto:freebsd-stable@freebsd.org>
List-Help: <mailto:freebsd-stable-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-stable>,
	<mailto:freebsd-stable-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 30 Sep 2003 11:23:26 -0000


Ok, may be this is fine to get "No route to host" when ping 127.0.0.1/ localhost if
IPFILTER_DEFAULT_BLOCK option is set.

However, I use the following rules for the internal network interface (xl1)

# Group 9000 (internal network interface) 
block return-rst in log quick on xl1 proto tcp from any to 192.168.x.x/32 port = 23 group 9000
block return-rst in log quick on xl1 proto tcp from any to 192.168.x.x/32 port = 21 group 9000
pass in quick on xl1 all group 9000

With these rules, I believe I should able to ping and SSH the freebsd box from my internal network
no matter the option IPFILTER_DEFAULT_BLOCK is set or not.

However, this is true only if the IPFILTER_DEFAULT_BLOCK option is removed.

The same rules were used with IPFilter 3.4.18 on FreeBSD 4.2 and no such problem was 
encountered. 

  
Thanks.

e_chelon
--- Darren Reed <avalon@caligula.anu.edu.au> wrote:
> 
> That's how it is meant to work.
> 
> Good to know it's working as intended.
> 
> Cheers,
> Darren
> 


__________________________________
Do you Yahoo!?
The New Yahoo! Shopping - with improved product search
http://shopping.yahoo.com