From owner-freebsd-isp Thu Dec 13 8:48: 6 2001 Delivered-To: freebsd-isp@freebsd.org Received: from web20102.mail.yahoo.com (web20102.mail.yahoo.com [216.136.226.39]) by hub.freebsd.org (Postfix) with SMTP id 1100237B405 for ; Thu, 13 Dec 2001 08:48:01 -0800 (PST) Message-ID: <20011213164800.67963.qmail@web20102.mail.yahoo.com> Received: from [195.223.20.71] by web20102.mail.yahoo.com via HTTP; Thu, 13 Dec 2001 17:48:00 CET Date: Thu, 13 Dec 2001 17:48:00 +0100 (CET) From: =?iso-8859-1?q?Fabrizio=20Ravazzini?= Subject: RE: Ipf & Bridging ??? To: john@day-light.com Cc: freebsd-isp@freebsd.org In-Reply-To: <000501c183f2$4c5ef3a0$1505010a@daylight.net> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Sender: owner-freebsd-isp@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org hello thanks for the help, ipf is installed in the kernel i compiled, options IPFILTER options IPFILTER_LOG There's also the ipfiletr_enable="YES" in my rc.conf in /etc/ipf.rules: pass in all pass out all block in quick on rl0 from any to any then if I digit: ipf -Fa -f /path/to/rules/ipf.rules -E I have the output: IP Filter:already initialized IP Filter:already initialized But there is still the problem, can you help me? --- John Brooks ha scritto: > Did you reload the ruleset and flush out the old > rules? the default > setting is to pass all. > > ipf -Fa -f /path/to/rules/ipf.rules -E > > Another thing to check would be if you enabled ipf > with a kernel > recompile, it's not turned on in the default kernel. > > Then check if you enabled ipf in /etc/rc.conf? > > ipfilter_enable="YES" > > Also remember that in ipf the LAST matching rule > wins, so if your > blocking rule is at the end of the ruleset and you > have a pass rule with > the "quick" keyword before it that matches the > packet will never reach > the blocking rule. > > HTH > > -- > John Brooks > Email: john@stlbsd.org > > > > -----Original Message----- > From: owner-freebsd-isp@FreeBSD.ORG > [mailto:owner-freebsd-isp@FreeBSD.ORG]On Behalf Of > Fabrizio Ravazzini > Sent: Thursday, December 13, 2001 10:07 AM > To: freebsd-isp@freebsd.org > Subject: Ipf & Bridging ??? > > > Hello all I've done a bridge between Internet and my > DMZ: > Internet > | > | > Cisco Router > | > | > |rl0 > FreeBSD 4.3 > Bridge > |rl1 > | > HUB----DMZ > > The bridge works very well,for example from the DMZ > the servers in it can "see" Internet and from > internet > I can "see" the servers in the DMZ(Public Ip's). > The problem is with ipf. > If for example we put a simple rule in > /etc/ipf.rules > like this: > block in quick on rl0 > > in order to block all the traffic going to the DMZ > it > happens that packets originated from internet they > by-pass my bridge/firewall! > If you ping for example the bridge they are blocked > but if you ping a machine in the dmz it responds! > arghhh.. > I tried to put the rules for the bridge founded in > the > Ipfilter based firewalls howto but they didn't work. > Any Idea? > Isn't ipfilter supported under freebsd? > Have I to use ipfw? > Many thanks all > bye > > > ______________________________________________________________________ > ______________________________________________________________________ Iscriviti al Meglio della Settimana, la newsletter di Yahoo! Per saperne di pił vai alla pagina: http://buongiorno.yahoo.it To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message