Date: Mon, 17 Jan 2005 22:36:50 +0100 From: "=?iso-8859-2?B?S/Z2ZXNk4W4gR+Fib3I=?=" <gabor.kovesdan@freemail.hu> To: "'Erik Norgaard'" <norgaard@locolomo.org> Cc: freebsd-questions@freebsd.org Subject: RE: IPF firewalling Message-ID: <20050117213649.ICID10341.viefep11-int.chello.at@hyperduron> In-Reply-To: <41EAD5E8.9060100@locolomo.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Hello, >Now reading this - maybe you left out the default action at the top of=20 >the ruleset? - I only see pass rules and unless you compiled your = kernel=20 >with default block, then default is pass, leaving your host with no=20 >effective firewall at all. > >Should suffice just to flush the rules, unless you compile your kernel=20 >with default block. Whatever default is, it is always a good idea for=20 >clarity to include a catch all rule. > >Also, make sure to add "log" and start ipmon, when something falls=20 >through or is blocked for other reasons, you have a log entry stating=20 >which rule blocked so you can debug your ruleset. - I see I left it out = >in the default rules I suggested, these rules should go at top of the = file: > >block out log all >block in log all > >Whatever falls through your ruleset will be logged so you can analyse = it. > >When you flush your rulesets, the state table is not flushed, so you=20 >shouldn't loose your connection. Also, I recommend you reading rules=20 >into the inactive ruletable first. Then swap. This way you make sure=20 >your rules does not contain typos and you don't leave your = firewall/host=20 >vulnerable. > ># ipf -IFa && ipf -I -f <rulefile> && ipf -s && sleep 60 && ipf -s > >lets you test the new ruleset 60 seconds, should you loose connection.=20 >If things work then > ># ipf -Ifa && ipf -I -f <rulefile> && ipf -s && ipf -IFa I've resolved the problem with individual pass out rules for tcp, udp = and icmp protocols. I don't know why "pass out all" was not okay, but it = wasn't. Thus my ruleset starts with these lines: pass out quick on re0 proto tcp from any to any keep state keep frags pass out quick on re0 proto udp from any to any keep state keep frags pass out quick on re0 proto icmp from any to any keep state keep frags Anyway, thanks for your ideas, which were very useful for me. I'm using = now the catch-all rules as You suggested. You also mentioned, there can be = some problems with the ftp server. Could You tell me please, what You meant? = Ftp hasn't been running yet, so I can't test it, but there will also be an = ftp soon. Thanks, G=E1bor K=F6vesd=E1n
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20050117213649.ICID10341.viefep11-int.chello.at>