From owner-freebsd-isp Thu Dec 13 8:26:35 2001 Delivered-To: freebsd-isp@freebsd.org Received: from mail.day-light.net (dle.day-light.net [64.37.72.2]) by hub.freebsd.org (Postfix) with ESMTP id 4BCDA37B416 for ; Thu, 13 Dec 2001 08:26:29 -0800 (PST) Received: from w1 (118-203.bestdsl.net [216.162.118.203]) by mail.day-light.net (Postfix) with SMTP id 20DE543E52 for ; Thu, 13 Dec 2001 10:26:27 -0600 (CST) Reply-To: From: "John Brooks" To: Subject: RE: Ipf & Bridging ??? Date: Thu, 13 Dec 2001 10:25:15 -0600 Message-ID: <000801c183f2$c1a317e0$1505010a@daylight.net> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook 8.5, Build 4.71.2173.0 In-Reply-To: <20011213160654.81416.qmail@web20108.mail.yahoo.com> Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2615.200 Sender: owner-freebsd-isp@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Did you reload the ruleset and flush out the old rules? the default setting is to pass all. ipf -Fa -f /path/to/rules/ipf.rules -E Another thing to check would be if you enabled ipf with a kernel recompile, it's not turned on in the default kernel. Then check if you enabled ipf in /etc/rc.conf? ipfilter_enable="YES" Also remember that in ipf the LAST matching rule wins, so if your blocking rule is at the end of the ruleset and you have a pass rule with the "quick" keyword before it that matches the packet will never reach the blocking rule. HTH -- John Brooks Email: john@stlbsd.org -----Original Message----- From: owner-freebsd-isp@FreeBSD.ORG [mailto:owner-freebsd-isp@FreeBSD.ORG]On Behalf Of Fabrizio Ravazzini Sent: Thursday, December 13, 2001 10:07 AM To: freebsd-isp@freebsd.org Subject: Ipf & Bridging ??? Hello all I've done a bridge between Internet and my DMZ: Internet | | Cisco Router | | |rl0 FreeBSD 4.3 Bridge |rl1 | HUB----DMZ The bridge works very well,for example from the DMZ the servers in it can "see" Internet and from internet I can "see" the servers in the DMZ(Public Ip's). The problem is with ipf. If for example we put a simple rule in /etc/ipf.rules like this: block in quick on rl0 in order to block all the traffic going to the DMZ it happens that packets originated from internet they by-pass my bridge/firewall! If you ping for example the bridge they are blocked but if you ping a machine in the dmz it responds! arghhh.. I tried to put the rules for the bridge founded in the Ipfilter based firewalls howto but they didn't work. Any Idea? Isn't ipfilter supported under freebsd? Have I to use ipfw? Many thanks all bye To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message