Date: Mon, 2 May 2005 12:19:24 +0200 From: "Chris Knipe" <savage@savage.za.org> To: <freebsd-questions@lists.freebsd.org> Subject: Re: ipf out rule Message-ID: <000701c54f00$6a9c9c50$0a01a8c0@ops.cenergynetworks.com> References: <MIEPLLIBMLEEABPDBIEGIENLHDAA.bob@a1poweruser.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Ok, that is fair enough. I did manage to get it up and running without locking myself out though *yay* I am having 2 issues mainly. FTP doesn't work at all (PASV or not), and I am getting allot of false drops on packets which *should* be allowed... Quick dump from the log file: May 2 12:11:03 pyro ipmon[8689]: 12:11:02.335403 rl0 @0:62 b y.y.195.133,1201 -> x.x.x.123,3128 PR tcp len 20 40 -AF IN May 2 12:11:05 pyro ipmon[8689]: 12:11:04.760397 rl0 @0:62 b y.y.195.133,1201 -> x.x.x.123,3128 PR tcp len 20 40 -AF IN May 2 12:11:10 pyro ipmon[8689]: 12:11:09.787481 rl0 @0:62 b y.y195.133,1201 -> x.x.x.123,3128 PR tcp len 20 40 -AF IN May 2 12:11:20 pyro ipmon[8689]: 12:11:19.744860 rl0 @0:62 b y.y.195.133,1201 -> x.x.x.123,3128 PR tcp len 20 40 -AF IN May 2 12:11:40 pyro ipmon[8689]: 12:11:39.760718 rl0 @0:62 b y.y.195.133,1201 -> x.x.x.123,3128 PR tcp len 20 40 -AF IN /etc/ipf.rules: # lo0 - Loopback pass in quick on lo0 all keep state pass out quick on lo0 all keep state # Bad Packet Murder block in log quick all with ipopts block in log quick all with short block in log quick all with frag block return-rst in log quick proto tcp all flags FUP block return-rst in log quick proto tcp all flags FSRPAU ################################################################# # Outside Interfaces ################################################################# # rl0 - Outgoing pass out quick on rl0 proto tcp from x.x.x.120/29 to any flags S keep state keep frags pass out quick on rl0 proto udp from x.x.x.120/29 to any keep state keep frags pass out quick on rl0 proto icmp from x.x.x.120/29 to any keep state keep frags block out log quick on rl0 all ################################################################# # Block and log all remaining traffic coming into the firewall # - Block TCP with a RST (to make it appear as if the service # isn't listening) # - Block UDP with an ICMP Port Unreachable (to make it appear # as if the service isn't listening) # - Block all remaining traffic the good 'ol fashioned way ################################################################# # rl0 - Global Incoming block in quick on rl0 from 0.0.0.0/7 to any block in quick on rl0 from 2.0.0.0/8 to any block in quick on rl0 from 5.0.0.0/8 to any block in quick on rl0 from 10.0.0.0/8 to any block in quick on rl0 from 23.0.0.0/8 to any block in quick on rl0 from 27.0.0.0/8 to any block in quick on rl0 from 31.0.0.0/8 to any block in quick on rl0 from 69.0.0.0/8 to any block in quick on rl0 from 70.0.0.0/7 to any block in quick on rl0 from 72.0.0.0/5 to any block in quick on rl0 from 82.0.0.0/7 to any block in quick on rl0 from 84.0.0.0/6 to any block in quick on rl0 from 88.0.0.0/5 to any block in quick on rl0 from 96.0.0.0/3 to any block in quick on rl0 from 127.0.0.0/8 to any block in quick on rl0 from 128.0.0.0/16 to any block in quick on rl0 from 128.66.0.0/16 to any block in quick on rl0 from 169.254.0.0/16 to any block in quick on rl0 from 172.16.0.0/12 to any block in quick on rl0 from 191.255.0.0/16 to any block in quick on rl0 from 192.0.0.0/19 to any block in quick on rl0 from 192.0.48.0/20 to any block in quick on rl0 from 192.0.64.0/18 to any block in quick on rl0 from 192.0.128.0/17 to any block in quick on rl0 from 192.168.0.0/16 to any block in quick on rl0 from 197.0.0.0/8 to any block in quick on rl0 from 201.0.0.0/8 to any block in quick on rl0 from 204.152.64.0/23 to any block in quick on rl0 from 219.0.0.0/8 to any block in quick on rl0 from 220.0.0.0/6 to any block in quick on rl0 from 224.0.0.0/3 to any # rl0 - ICMP, 0 = Echo Reply, 3 = Arb Unreachable, 11 = TTL pass in quick on rl0 proto icmp all icmp-type 0 pass in quick on rl0 proto icmp all icmp-type 3 pass in quick on rl0 proto icmp all icmp-type 11 # rl0 - x.x.x.122 FTP, FTP-DATA pass in quick on rl0 proto tcp from any to x.x.x.122 port = 21 flags S keep state pass in quick on rl0 proto tcp from any to x.x.x.122 port > 49151 flags S keep state pass out quick on rl0 proto tcp from x.x.x.122 port = 20 to any flags S keep state # rl0 - x.x.x.122 SSH pass in quick on rl0 proto tcp from any to x.x.x.122 port = 22 flags S keep state keep frags # rl0 - x.x.x.122 SMTP pass in quick on rl0 proto tcp from any to x.x.x.122 port = 25 flags S keep state keep frags # rl0 - x.x.x.122 DNS pass in quick on rl0 proto udp from any to x.x.x.122 port = 53 keep state keep frags pass in quick on rl0 proto tcp from any to x.x.x.122 port = 53 flags S keep state keep frags # rl0 - x.x.x.122 HTTP, HTTPS pass in quick on rl0 proto tcp from any to x.x.x.122 port = 80 flags S keep state keep frags pass in quick on rl0 proto tcp from any to x.x.x.122 port = 443 flags S keep state keep frags # rl0 - x.x.x.122 POP3 pass in quick on rl0 proto tcp from any to x.x.x.122 port = 110 flags S keep state keep frags # rl0 - x.x.x.122 NTP pass in quick on rl0 proto udp from a.a.a.a to x.x.x.122 port = 123 keep state keep frags pass in quick on rl0 proto udp from b.b.b.b to x.x.x.122 port = 123 keep state keep frags pass in quick on rl0 proto udp from c.c.c.c to x.x.x.122 port = 123 keep state keep frags # rl0 - x.x.x.122 MySQL pass in quick on rl0 proto tcp from x.x.x.120/29 to x.x.x.122 port = 3306 flags S keep state keep frags # rl0 - x.x.x.123 DNS pass in quick on rl0 proto udp from x.x.x.120/29 to x.x.x.123 port = 53 keep state keep frags # rl0 - x.x.x.123 Squid pass in quick on rl0 proto tcp from x.x.x.120/29 to x.x.x.123 port = 3128 flags S keep state keep frags pass in quick on rl0 proto tcp from y.y.0.0/16 to x.x.x.123 port = 3128 flags S keep state keep frags pass in quick on rl0 proto tcp from z.z.0.0/16 to x.x.x.123 port = 3128 flags S keep state keep frags pass in quick on rl0 proto tcp from x.x.x.120/29 to x.x.x.123 port = 3130 flags S keep state keep frags # rl0 - x.x.x.123 PMX pass in quick on rl0 proto tcp from x.x.x.122 to x.x.x.123 port = 10024 flags S keep state keep frags pass in quick on rl0 proto tcp from any to x.x.x.123 port = 18080 flags S keep state keep frags pass in quick on rl0 proto tcp from any to x.x.x.123 port = 28080 flags S keep state keep frags # Le Grande Finale block in log quick on rl0 all As always, looking forward to some help :) -- Chris. I love deadlines. I especially love the whooshing sound they make as they fly by..." - Douglas Adams, 'Hitchhiker's Guide to the Galaxy' ----- Original Message ----- From: <bob@a1poweruser.com> To: "Chris Knipe" <savage@savage.za.org>; <freebsd-questions@lists.freebsd.org> Sent: Monday, May 02, 2005 1:56 AM Subject: RE: ipf out rule > When asking for help with firewall rules you have to post complete > content of firewall rule set file because some previous rule may be > dropping all packets. If this is your complete rule set them you are > missing the mandatory L0 interface rule to pass quick all. rl0 must > be Nic connected to public internet. x.x.x.120/29 is ip address > range of pc's on private LAN behind firewall. This is not much of > firewall with everything being allowed out. You could replace all > of these meaning less statements with pass quick all from any to > any > > You really need to read firewall section of the official handbook. > It has working examples of ipf.rules rule set along with detailed > explanation of how to build firewall rules. > > -----Original Message----- > From: owner-freebsd-questions@freebsd.org > [mailto:owner-freebsd-questions@freebsd.org]On Behalf Of Chris Knipe > Sent: Sunday, May 01, 2005 6:56 PM > To: freebsd-questions@lists.freebsd.org > Subject: ipf out rule > > > Hi, > > Can anyone take a minute to just explain to me why ipf is blocking > this... > > ipf.rules: > # rl0 - Outgoing > pass out quick on rl0 proto tcp from x.x.x.120/29 to any flags S > keep state > keep frags > pass out quick on rl0 proto udp from x.x.x.120/29 to any keep state > keep > frags > pass out quick on rl0 proto icmp from x.x.x.120/29 to any keep state > keep > frags > block out log quick on rl0 all > > ipftest: > opening rule file "ipf.new" > in on rl0 tcp 196.25.1.1,2210 x.x.x.122,22 > input: in on rl0 tcp 196.25.1.1,2210 x.x.x.122,22 > pass ip 40(20) 6 196.25.1.1,2210 > x.x.x.122,22 > -------------- > out on rl0 tcp x.x.x.122,22 196.25.1.1,2210 > input: out on rl0 tcp x.x.x.122,22 196.25.1.1,2210 > block ip 40(20) 6 x.x.x.122,22 > 196.25.1.1,2210 > > Thanks. > > > -- > Chris. > > I love deadlines. I especially love the whooshing sound they make as > they > fly by..." - Douglas Adams, 'Hitchhiker's Guide to the Galaxy' > > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to > "freebsd-questions-unsubscribe@freebsd.org" > > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to > "freebsd-questions-unsubscribe@freebsd.org" >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?000701c54f00$6a9c9c50$0a01a8c0>