Date: Wed, 26 Nov 2014 20:02:21 -0500 From: Eric Popelka <arickp@cox.net> To: freebsd-questions@freebsd.org Subject: My ipfilter rules are overreaching... Message-ID: <5476781D.2060904@cox.net>
next in thread | raw e-mail | index | archive | help
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hello BSD friends, I've enabled ipfilter by adding the following to my /etc/rc.conf: ipfilter_enable="YES" # load ipfilter kernel module ipfilter_rules="/etc/ipf.rules" # my rules file ipmon_enable="YES" # try to keep out hax0rs ipmon_flags="-Ds" # run as a daemon, save using syslogd My rules file (/etc/ipf.rules) reads as follows (not verbatim, trying to just get to the facts): # No restrictions on loopback (lo0) pass in quick on lo0 all pass out quick on l0 all # Allow outbound traffic pass out quick on xn0 all keep state ### SNIP: 6 'pass in' rules to enable DHCP, NTP, ICMP ### # Allow in the whole subnet assigned to my cable modem # (hack, eventually want to just allow access to certain ports) pass in log first on xn0 from 72.205.44.0/23 to any # Keep out hax0rs block in log first quick on xn0 all Unfortunately, this is keeping me out from ssh'ing in to my server. I get the following message in /var/log/messages: ipmon: xn0 @0:8 b 72.205.45.###,40455 -> 104.128.###.###,22 PR tcp len 20 64 -S IN (### = actual numbers <= 255, obviously) I'm stumped. I triple-checked that the IP address from which I'm connecting is in the subnet that I specified in my 'pass in' rule. Am I not writing my rules in the correct order? Output from uname: FreeBSD 10.0-RELEASE #0 r260789: Thu Jan 16 22:34:59 UTC 2014 I ran 'pkg update' and 'pkg upgrade'. Thanks. - -- Eric Popelka arickp@cox.net -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 Comment: GPGTools - https://gpgtools.org iQIcBAEBCgAGBQJUdngdAAoJEBQPax3MeNrT5mgQANHp72lyQ1ty88p8rdyNeeV2 ye2jaYrkQVzfqLs0AAUVgpaHpX6GcWCqJElIt82rG/1jIZBIkAeWDaG5UpbT13Xf +V97OgTwZ24fk9i//mTQWakbuQ+Mkfg1P9ecJn3KBTq+HuI14P7g0+33Z1FtCnT6 I+ALNq65vwemat4qJ7IroiDaf3MQWO+7vBFL2ocp3qqB7M/WmPuImHo3z0rd4ihl q5XSD/QuIAGkX/xa1f35VZ7errA0o6RTXnOWJi/uheE1SClXhfXQvfXycw4sp0KL fjaO9mgk84yl9y407X2iWQWzJ8wTiWPkBUlEKdC1L0yCYPTQ0IVsuDSOXK2zATn1 RYlJWvSAes+Hgq2oVBr8ChUVLs6OQiktUNQKGqZxYA/5VQ95dFL2DNy0l2iteywx be5dvQaKN203XyFYujoV6Z49I56OzDXdpdXKRfUDzNhnf8jiBDUhLRCHyXUqMLv2 AZjuzktld3ePwtVaZnREOzDjSqdpejx4Vtgtr/3Ij94Y5LLPS73DYP4+e9l25Qp2 SWuSyZBQZ9DcWIA0UEU6v8tr5Sx02yfaBjWx4CXcK+svM5gk4ife9Cd4v4Pgmc8U uakqaikyYdQRwHQp7up2vkG5q5ozdAPCoL7Vn/07Tf1sgAyMQ+PU6cIzfqQFY+NJ g6wrE+wIQWPsu6XDzCwU =z21E -----END PGP SIGNATURE-----
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5476781D.2060904>