From owner-freebsd-pf@FreeBSD.ORG Sat Sep 25 04:08:40 2004 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 01F1216A4CE for ; Sat, 25 Sep 2004 04:08:40 +0000 (GMT) Received: from imo-d02.mx.aol.com (imo-d02.mx.aol.com [205.188.157.34]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6584C43D49 for ; Sat, 25 Sep 2004 04:08:39 +0000 (GMT) (envelope-from AndygreenNet@netscape.net) Received: from AndygreenNet@netscape.net by imo-d02.mx.aol.com (mail_out_v37_r3.7.) id n.1af.bf63aa4 (16239) for ; Sat, 25 Sep 2004 00:08:31 -0400 (EDT) Received: from netscape.net (mow-d21.webmail.aol.com [205.188.139.162]) by air-in03.mx.aol.com (v101_r1.4) with ESMTP id MAILININ33-3f6f4154ef3f2d2; Sat, 25 Sep 2004 00:08:31 -0400 Date: Sat, 25 Sep 2004 00:08:31 -0400 From: AndygreenNet@netscape.net To: freebsd-pf@freebsd.org MIME-Version: 1.0 Message-ID: <3DF5ED57.7064152C.0C457E44@netscape.net> X-Mailer: Atlas Mailer 2.0 X-AOL-IP: 62.33.196.200 X-AOL-Language: english Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Subject: Can't access rsh listen on lo0 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 25 Sep 2004 04:08:40 -0000 Hello freebsd-pf, Help me please. I have: FreeBSD 5_2_1 pf-freebsd-2.03 I'm tried to access rsh listen on lo0. Connection interrupts with messages: rsh: Connection timeout; or rsh: Connection reset by peer. My pf.conf. # Macros: define common values, so they can be referenced and changed easily. ext_if="{ vlan1, fxp2 }" # replace with actual external interface name i.e., dc0 int_if="fxp0" # replace with actual internal interface name i.e., dc1 ext_bridge_if="{ vlan0, vlan2, vlan3 }" int_bridge_if="{ xl0, vlan4, vlan5 }" internal_net_TTK="62.33.196.128/25" internal_net_RT_COMM="213.59.235.120/29" external_addr_TTK="62.33.196.254" external_addr_RT_COMM="213.59.128.130" restricted_ports="{ 135, 136, 137, 138, 139, 445 }" allow_tcp_ports="{ ftp, ftp-data, ssh, smtp, domain, http, pop3, ntp, imap, https, snpp, > 1023}" allow_udp_ports="{ domain, > 1023}" ARP_in="inet proto { tcp, udp } from any port uarps to any port > 1023" ARP_out="inet proto { tcp, udp } from any port > 1023 to any port uarps" # Options: tune the behavior of pf, default values are given. set timeout { interval 10, frag 30 } set timeout { tcp.first 120, tcp.opening 30, tcp.established 86400 } set timeout { tcp.closing 900, tcp.finwait 45, tcp.closed 90 } set timeout { udp.first 60, udp.single 30, udp.multiple 60 } set timeout { icmp.first 20, icmp.error 10 } set timeout { other.first 60, other.single 30, other.multiple 60 } set timeout { adaptive.start 0, adaptive.end 0 } set limit { states 10000, frags 5000 } set loginterface none set optimization normal set block-policy drop set require-order yes set fingerprints "/usr/local/etc/pf.os" # Normalization: reassemble fragments and resolve or reduce traffic ambiguities. scrub in all # spamd-setup puts addresses to be redirected into table . table persist no rdr on lo0 from any to any rdr inet proto tcp from to any port smtp -> 127.0.0.1 port 8025 # Filtering: external interfaces block in log quick on $ext_if inet proto { tcp, udp } from any to any port $restricted_ports pass in on $ext_if inet proto icmp from any to any icmp-type { 0, 8 } pass in quick on $ext_if inet proto tcp from any to any port $allow_tcp_ports pass in quick on $ext_if inet proto udp from any port $allow_udp_ports to any port $allow_udp_ports pass out on $ext_if inet proto icmp from any to any icmp-type { 0, 8 } pass out quick on $ext_if inet proto tcp from any port $allow_tcp_ports to any pass out quick on $ext_if inet proto udp from any port $allow_udp_ports to any port $allow_udp_ports # Filtering: external bridge interfaces block in log quick on $ext_bridge_if inet proto { tcp, udp } from any to any port $restricted_ports pass in quick on $ext_bridge_if $ARP_in pass in on $ext_bridge_if inet proto icmp from any to any icmp-type { 0, 8 } pass in quick on $ext_bridge_if inet proto { tcp, udp } from any to any pass out quick on $ext_bridge_if $ARP_out pass out on $ext_bridge_if inet proto icmp from any to any icmp-type { 0, 8 } pass out quick on $ext_bridge_if inet proto { tcp, udp } from any to any # Filtering internal interfaces with keep state, logging blocked packets. block in log on $int_if all pass in quick on $int_if $ARP_out keep state pass in quick on $int_if inet proto icmp all icmp-type { 0, 8 } keep state pass in quick on $int_if inet proto tcp from { $internal_net_TTK, $internal_net_RT_COMM } port $allow_tcp_ports to any keep st ate pass in quick on $int_if inet proto udp from { $internal_net_TTK, $internal_net_RT_COMM } port $allow_udp_ports to any port $a llow_udp_ports keep state # Filtering internal bridge interfaces with keep state, logging blocked packets. block in log on $int_bridge_if all pass in quick on $int_bridge_if $ARP_out keep state pass in quick on $int_bridge_if inet proto icmp all icmp-type { 0, 8 } keep state pass in quick on $int_bridge_if inet proto { tcp, udp } from any to any keep state Where I was mistaken. -- Best regards, A. Kochetkoff mailto:andrews@mtelecom.chita.ru __________________________________________________________________ Switch to Netscape Internet Service. As low as $9.95 a month -- Sign up today at http://isp.netscape.com/register Netscape. Just the Net You Need. New! Netscape Toolbar for Internet Explorer Search from anywhere on the Web and block those annoying pop-ups. Download now at http://channels.netscape.com/ns/search/install.jsp