From owner-freebsd-stable@FreeBSD.ORG  Mon Sep 22 13:34:31 2003
Return-Path: <owner-freebsd-stable@FreeBSD.ORG>
Delivered-To: freebsd-stable@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id E85E916A4B3
	for <freebsd-stable@freebsd.org>;
	Mon, 22 Sep 2003 13:34:31 -0700 (PDT)
Received: from renown.cnchost.com (renown.concentric.net [207.155.248.7])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 54DDD44001
	for <freebsd-stable@freebsd.org>;
	Mon, 22 Sep 2003 13:34:31 -0700 (PDT)
	(envelope-from mwoodson@sricrm.com)
Received: from squelcher.redlands.sricrm.com (bdsl.66.14.215.39.gte.net
	[66.14.215.39])	by renown.cnchost.com
	id QAA20680; Mon, 22 Sep 2003 16:34:30 -0400 (EDT)
	[ConcentricHost SMTP Relay 1.15]
Errors-To: <mwoodson@sricrm.com>
From: Mark Woodson <mwoodson@sricrm.com>
Organization: Statistical Research, Inc.
To: "Toan Hoang" <ignorabimus2002@hotmail.com>,
	freebsd-stable@freebsd.org
Date: Mon, 22 Sep 2003 13:35:54 -0700
User-Agent: KMail/1.5.3
References: <Sea1-F6n3c6xpwW35BX00000b6a@hotmail.com>
In-Reply-To: <Sea1-F6n3c6xpwW35BX00000b6a@hotmail.com>
MIME-Version: 1.0
Content-Type: text/plain;
  charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
Message-Id: <200309221335.54060.mwoodson@sricrm.com>
Subject: Re: IPFilter and Nmap
X-BeenThere: freebsd-stable@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Production branch of FreeBSD source code
	<freebsd-stable.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-stable>,
	<mailto:freebsd-stable-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-stable>
List-Post: <mailto:freebsd-stable@freebsd.org>
List-Help: <mailto:freebsd-stable-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-stable>,
	<mailto:freebsd-stable-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 22 Sep 2003 20:34:32 -0000

On Monday 22 September 2003 01:12 pm, Toan Hoang wrote:
> Greetings list!
>
> I'vs got a strange problem with my new FreeBSD box..
>
> I've just installed IPFilter and recompiled the kernel to
> 4.9PRERELEASE.. (I compiled with options: IPFILTER, IPFILTER_LOG,
> IPFILTER_BLOCK_DEFAULT (IPFILTER_DEFAULT_BLOCK??)

It's IPFILTER_DEFAULT_BLOCK.  

less /usr/src/sys/i386/conf/LINT | grep IPFILTER

That will list out the kernel options with IPFILTER in the line.

> My problem is when I'm scanning the FreeBSD box with nmap (from a
> WinXP machine), I get rapports about ports that's open:
>
> (The 1647 ports scanned but not shown below are in state: filtered)
> PORT     STATE SERVICE
> 25/tcp   open  smtp
> 80/tcp   open  http
> 81/tcp   open  hosts2-ns
> 82/tcp   open  xfer
> 83/tcp   open  mit-ml-dev
> 110/tcp  open  pop-3
> 119/tcp  open  nntp
> 1080/tcp open  socks
> 5190/tcp open  aol
> 8080/tcp open  http-proxy
>
> My /etv/ipf.rules looks like this:
>
> block in all
> pass in quick on lo0 all
> pass out quick on lo0 all

Unless the box will not connect with anything, you'll want to at the 
very least add

pass out all on dc0 keep state

So you can connect to outside stuff.  Replace dc0 with your ethernet 
interface.

You didn't mention rc.conf

ipfilter_enable="YES"
ipmon_enable="YES"

at the very least.  You might look at the other ipf options in 
/etc/defaults/rc.conf.

-Mark