From owner-freebsd-pf@FreeBSD.ORG  Sat Sep 25 16:58:26 2004
Return-Path: <owner-freebsd-pf@FreeBSD.ORG>
Delivered-To: freebsd-pf@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 4FF0D16A4CE
	for <freebsd-pf@freebsd.org>; Sat, 25 Sep 2004 16:58:26 +0000 (GMT)
Received: from moutng.kundenserver.de (moutng.kundenserver.de
	[212.227.126.186])
	by mx1.FreeBSD.org (Postfix) with ESMTP id A0C1943D45
	for <freebsd-pf@freebsd.org>; Sat, 25 Sep 2004 16:58:25 +0000 (GMT)
	(envelope-from max@love2party.net)
Received: from [212.227.126.207] (helo=mrelayng.kundenserver.de)
	by moutng.kundenserver.de with esmtp (Exim 3.35 #1)
	id 1CBFsO-0003Tc-00; Sat, 25 Sep 2004 18:58:24 +0200
Received: from [217.227.149.160] (helo=donor.laier.local)
	by mrelayng.kundenserver.de with asmtp (TLSv1:RC4-MD5:128)
	(Exim 3.35 #1)
	id 1CBFsO-0006Ij-00; Sat, 25 Sep 2004 18:58:24 +0200
From: Max Laier <max@love2party.net>
To: freebsd-pf@freebsd.org
Date: Sat, 25 Sep 2004 18:57:18 +0200
User-Agent: KMail/1.7
References: <3DF5ED57.7064152C.0C457E44@netscape.net>
In-Reply-To: <3DF5ED57.7064152C.0C457E44@netscape.net>
MIME-Version: 1.0
Content-Type: multipart/signed;
  boundary="nextPart45672835.XE09iZkaOT";
  protocol="application/pgp-signature";
  micalg=pgp-sha1
Content-Transfer-Encoding: 7bit
Message-Id: <200409251857.29746.max@love2party.net>
X-Provags-ID: kundenserver.de abuse@kundenserver.de
	auth:61c499deaeeba3ba5be80f48ecc83056
cc: AndygreenNet@netscape.net
Subject: Re: Can't access rsh listen on lo0
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Technical discussion and general questions about packet filter (pf)
	<freebsd-pf.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 25 Sep 2004 16:58:26 -0000

--nextPart45672835.XE09iZkaOT
Content-Type: text/plain;
  charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline

On Saturday 25 September 2004 06:08, AndygreenNet@netscape.net wrote:
> Hello freebsd-pf,
>
> Help me please.
>
> I have:
> FreeBSD 5_2_1
> pf-freebsd-2.03

=46irst of all ... to *everybody*: If you want a production use box with pf=
 -=20
please move to a 5.3-BETA installation and get pf out of the box. If you ar=
e=20
worried with stability set debug.mpsafenet=3D0 (PREEMPTION and ULE are off =
by=20
default). You won't regret it!

> I'm tried to access rsh listen on lo0.
> Connection interrupts with messages:
>   rsh: Connection timeout;
>   or
>   rsh: Connection reset by peer.

That is a fairly complicated ruleset you have there, I have some troubles=20
reading it. But you might want to try the following:

> My pf.conf.
>
> # Macros: define common values, so they can be referenced and changed
> easily. ext_if=3D"{ vlan1, fxp2 }"        # replace with actual external
> interface name i.e., dc0
> int_if=3D"fxp0"           # replace with actual internal interface name i=
=2Ee.,
> dc1 ext_bridge_if=3D"{ vlan0, vlan2, vlan3 }"

unfiltered=3D"{ lo0 }"

> int_bridge_if=3D"{ xl0, vlan4, vlan5 }"
> internal_net_TTK=3D"62.33.196.128/25"
> internal_net_RT_COMM=3D"213.59.235.120/29"
> external_addr_TTK=3D"62.33.196.254"
> external_addr_RT_COMM=3D"213.59.128.130"
> restricted_ports=3D"{ 135, 136, 137, 138, 139, 445 }"
> allow_tcp_ports=3D"{ ftp, ftp-data, ssh, smtp, domain, http, pop3, ntp, i=
map,
> https, snpp, > 1023}"
> allow_udp_ports=3D"{ domain, > 1023}"
> ARP_in=3D"inet proto { tcp, udp } from any port uarps to any port > 1023"
> ARP_out=3D"inet proto { tcp, udp } from any port > 1023 to any port uarps"
>
> # Options: tune the behavior of pf, default values are given.
> set timeout { interval 10, frag 30 }
> set timeout { tcp.first 120, tcp.opening 30, tcp.established 86400 }
> set timeout { tcp.closing 900, tcp.finwait 45, tcp.closed 90 }
> set timeout { udp.first 60, udp.single 30, udp.multiple 60 }
> set timeout { icmp.first 20, icmp.error 10 }
> set timeout { other.first 60, other.single 30, other.multiple 60 }
> set timeout { adaptive.start 0, adaptive.end 0 }
> set limit { states 10000, frags 5000 }
> set loginterface none
> set optimization normal
> set block-policy drop
> set require-order yes
> set fingerprints "/usr/local/etc/pf.os"
>
> # Normalization: reassemble fragments and resolve or reduce traffic
> ambiguities. scrub in all
>
> # spamd-setup puts addresses to be redirected into table <spamd>.
> table <spamd> persist
> no rdr on lo0 from any to any
> rdr inet proto tcp from <spamd> to any port smtp -> 127.0.0.1 port 8025
>

#Allow loopback and friends
pass quick on $unfiltered

> # Filtering: external interfaces
> block in log quick on $ext_if inet proto { tcp, udp } from any to any port
> $restricted_ports
> pass in on $ext_if inet proto icmp from any to any icmp-type { 0, 8 }
> pass in quick on $ext_if inet proto tcp from any to any port
> $allow_tcp_ports pass in quick on $ext_if inet proto udp from any port
> $allow_udp_ports to any port $allow_udp_ports
> pass out on $ext_if inet proto icmp from any to any icmp-type { 0, 8 }
> pass out quick on $ext_if inet proto tcp from any port $allow_tcp_ports to
> any pass out quick on $ext_if inet proto udp from any port $allow_udp_por=
ts
> to any port $allow_udp_ports
>
> # Filtering: external bridge interfaces
> block in log quick on $ext_bridge_if inet proto { tcp, udp } from any to
> any port $restricted_ports
> pass in quick on $ext_bridge_if $ARP_in
> pass in on $ext_bridge_if inet proto icmp from any to any icmp-type { 0, 8
> } pass in quick on $ext_bridge_if inet proto { tcp, udp } from any to any
> pass out quick on $ext_bridge_if $ARP_out
> pass out on $ext_bridge_if inet proto icmp from any to any icmp-type { 0,=
 8
> } pass out quick on $ext_bridge_if inet proto { tcp, udp }  from any to a=
ny
>
> # Filtering internal interfaces with keep state, logging blocked packets.
> block in log on $int_if all
> pass in quick on $int_if $ARP_out keep state
> pass in quick on $int_if inet proto icmp all icmp-type { 0, 8 } keep state
> pass in quick on $int_if inet proto tcp from { $internal_net_TTK,
> $internal_net_RT_COMM } port $allow_tcp_ports to any keep st
> ate
> pass in quick on $int_if inet proto udp from { $internal_net_TTK,
> $internal_net_RT_COMM } port $allow_udp_ports to any port $a
> llow_udp_ports keep state
>
> # Filtering internal bridge interfaces with keep state, logging blocked
> packets. block in log on $int_bridge_if all
> pass in quick on $int_bridge_if $ARP_out keep state
> pass in quick on $int_bridge_if inet proto icmp all icmp-type { 0, 8 } ke=
ep
> state pass in quick on $int_bridge_if inet proto { tcp, udp } from any to
> any keep state
>
> Where I was mistaken.

Not sure ... $pfctl -vsr and pflog0 may tell you.

=2D-=20
/"\  Best regards,                      | mlaier@freebsd.org
\ /  Max Laier                          | ICQ #67774661
 X   http://pf4freebsd.love2party.net/  | mlaier@EFnet
/ \  ASCII Ribbon Campaign              | Against HTML Mail and News

--nextPart45672835.XE09iZkaOT
Content-Type: application/pgp-signature

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (FreeBSD)

iD8DBQBBVaN5XyyEoT62BG0RAoHbAJ4xYzYn0QtzC6QFBbF1AMigICiY9wCeNnXb
Gj7qVne+cW1chL9C/2NyFYM=
=7/jP
-----END PGP SIGNATURE-----

--nextPart45672835.XE09iZkaOT--