Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 30 Apr 2001 11:23:22 +0200 (CEST)
From:      =?iso-8859-1?q?Claus=20Guttesen?= <cguttesen@yahoo.dk>
To:        freebsd-questions@freebsd.org
Subject:   ipfilter and sync/sync-aknowledge doesn't seem to work
Message-ID:  <20010430092322.73754.qmail@web14105.mail.yahoo.com>
next in thread | raw e-mail | index | archive | help 
Hi.

I've setup ipfilter, and got it working OK. The syntax
is pretty straigforward.

But I'm having problems with the flags S/SA on inbound
rules. I took the example shown on
http://www.openbsd.org/faq/faq6.html#6.2 and used that
as a template.

Ipfilter starts without problem, but I can't get a
connection up and running with the flags enabled.
/etc/ipf.rules contains these rules (not all rules
shown, ssh-from ip-range changed)

# only allow our machines to connect via ssh
pass in quick on fxp0 proto tcp from a.b.c.d/26 to any
port = 22

# allow others to use http and https
pass in quick on fxp0 proto tcp from any to any port =
80
pass in quick on fxp0 proto tcp from any to any port =
443 flags S/SA

# finally lock the rest down with a default deny
block in quick on fxp0 from any to any

# and let out-going traffic out and maintain state on
established connections
#    to cover all three protocols (tcp, udp, icmp).
pass out quick on fxp0 proto tcp from any to any      
 keep state
pass out quick on fxp0 proto udp from any to any      
         keep state
pass out quick on fxp0 proto icmp from any to any     
         keep state

The thing is that when S/SA is enabled on http and
ssh, I don't get through. When the S/SA-flags are
removed and I restart ipfilter with 'ipf -Fa -f
/etc/ipf.rules' it works.

The documentation on openbsd.org states that the last
rule wins, unless the quick-option is used. It also
says that the flags S/SA can be used to inititate a
connection, and then the state comes in (established
connections). I may be missing something.

I'm running FreeBSD 4.3 stable om a Compaq Armada
M700.

regards
Claus Guttesen

______________________________________________________
Do You Yahoo!?
Få en gratis @yahoo.dk-adresse på http://mail.yahoo.dk

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010430092322.73754.qmail>