From owner-freebsd-questions@FreeBSD.ORG Mon Sep 19 23:13:53 2005 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3FD0316A41F for ; Mon, 19 Sep 2005 23:13:53 +0000 (GMT) (envelope-from jonas.de.buhr@gmx.net) Received: from mail.gmx.net (pop.gmx.net [213.165.64.20]) by mx1.FreeBSD.org (Postfix) with SMTP id 7C9D043D46 for ; Mon, 19 Sep 2005 23:13:52 +0000 (GMT) (envelope-from jonas.de.buhr@gmx.net) Received: (qmail invoked by alias); 19 Sep 2005 23:13:50 -0000 Received: from VPNPOOL01-0415.UNI-MUENSTER.DE (EHLO localhost) [128.176.151.169] by mail.gmx.net (mp008) with SMTP; 20 Sep 2005 01:13:50 +0200 X-Authenticated: #351132 Date: Tue, 20 Sep 2005 00:52:21 +0200 From: jonas To: freebsd-questions@freebsd.org Message-ID: <20050920005221.33554ee6@localhost> In-Reply-To: <432F2B89.9000305@locolomo.org> References: <20050919172642.45408cf9@localhost> <432EDE1D.2050107@locolomo.org> <20050919192954.6ac0e9a9@localhost> <20050919193553.25dd0afd@localhost> <432F2B89.9000305@locolomo.org> X-Mailer: Sylpheed-Claws 1.9.11 (GTK+ 2.6.4; i386-portbld-freebsd5.4) Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable X-Y-GMX-Trusted: 0 Subject: Re: problem with IPF rules - (problem solved but i'm still confused) X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 19 Sep 2005 23:13:53 -0000 On Mon, 19 Sep 2005 23:20:09 +0200 Erik N=F8rgaard wrote: > jonas wrote: > > adding a 'keep state' to the 'pass in'-rules solved this problem. > > but i still do not understand why it didn't work before, because > > outgoing traffic was allowed with > > "pass out quick on ng0 from any to any keep state" > > i'ld really prefer to know what's going on there :) > >=20 > > any ideas? >=20 > It would help if you would post your ruleset and not the readout, > it's easier to read. Secondly, it is posible to compile ipf with > default block - post the default action also. >=20 > Cheers, Erik /etc/ipf.rules: ### ng0 # allow anything out to the internet pass out quick on ng0 from any to any keep state # allow http, https, ssh pass in log quick on ng0 proto tcp from any to 128.176.0.0/16 port =3D 80 keep state pass in log quick on ng0 proto tcp from any to 128.176.0.0/16 port =3D 443 keep state pass in log quick on ng0 proto tcp from any to 128.176.0.0/16 port =3D 22 keep state pass in log quick on ng0 proto udp from any to 128.176.0.0/16 port =3D 22 keep state # outgoing bittorrent data pass in quick on ng0 proto tcp from any to 128.176.0.0/16 port =3D 55555 # block anything else block in quick on ng0 proto tcp from any to any port =3D 111 block in quick on ng0 all ### rl1 # allow pptp-dialout pass out quick on rl1 from any to 172.16.0.1 keep state # allow GRE-traffic pass in quick on rl1 from 172.16.0.1 to 172.16.0.0/16 # block anything else block in quick on rl1 all block out quick on rl1 all IPF is still compiled with default accept (like said in the orig. post) i didn't have time to recompile it yet and i didn't think this made sense if too much got blocked anyway ;) with this config everything works as i want. but why do i need the 'keep state' to make the webserver accessible? cya, jonas