From owner-freebsd-questions Sat Jan 12 7:26:46 2002 Delivered-To: freebsd-questions@freebsd.org Received: from b1n.org (200-171-41-43.dsl.telesp.net.br [200.171.41.43]) by hub.freebsd.org (Postfix) with ESMTP id 6ED7F37B416 for ; Sat, 12 Jan 2002 07:26:42 -0800 (PST) Received: by b1n.org (Postfix, from userid 1000) id 5DF57810F; Sat, 12 Jan 2002 13:26:33 -0200 (BRST) Date: Sat, 12 Jan 2002 13:26:33 -0200 From: BinarySoul To: Peter Wolkerstorfer Cc: freebsd-questions@freebsd.org Subject: Re: please help on 1(one) ipf rule Message-ID: <20020112132633.E31058@b1n.org> References: <3C187D20.E1901AD5@unet.univie.ac.at> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <3C187D20.E1901AD5@unet.univie.ac.at>; from a9203537@unet.univie.ac.at on Thu, Dec 13, 2001 at 11:04:16AM +0100 X-Operating-System: OpenBSD 3.0 (i386) Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Hi Peter, i think i've found your mistake. In your first two rules: > block return-rst in log quick on rl1 proto tcp all > block in quick on rl1 all you've blocked everything and its not going further down in your rules table (look ipmon/ipfstat to confirm that), strip out the 'quick' option so, it will only match this rules if it dont match any other. i'm used to write something like: block in all block out all in the top of my firewall script, and then passing just what i need to pass. About the SSH, i've used this so far: pass in quick on $External_Interface proto tcp from $Trusted_Ip to $External_Ip port = 22 flags S/SA keep state BTW, i dont use ipf, i use obsd pf (OpenBSD Packet Filter) Peter Wolkerstorfer (a9203537@unet.univie.ac.at) wrote: > dear listmembers, > > i would need some help on ipf > > problem: > > ipf firewall with ipnat won't allow to login on itself and won't allow > outgoing traffic from itself. > > form the intranet (192.168.0..0/8) to the internet all works as i > wanted. > > my ipf.rules is: > > # i have read this should be better for scans > block return-rst in log quick on rl1 proto tcp all > > # i want to block all the rest with this > block in quick on rl1 all > > # this is my not working try of making a ssh-connection to the firewall > working > pass in quick on rl0 proto tcp/udp from 192.168.0.0/8 to any keep > state > pass out quick on rl0 proto tcp/udp from 192.168.0.0/8 to any keep > state > > #the rest which seems to work > pass out quick on rl1 proto tcp from 192.168.0.0/8 to any keep state > pass out quick on rl1 proto udp from 192.168.0.0/8 to any keep state > pass out quick on rl1 proto icmp from 192.168.0.0/8 to any keep state > > my ipnat.rules is: > > map rl1 192.168.0.0/24 -> 0/32 > > i would now need one ipf rule which at least allows logging in on the > firewall with ssh. it would be better if i could acces the net from the > firewall-console, too. > > THX in advance > peter "wolki" wolkerstorfer > p.s.: please tell me if i should have asked this in freebsd-security > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-questions" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message