Skip site navigation (1)Skip section navigation (2)
Date:      Sun, 1 May 2005 19:56:47 -0400
From:      <bob@a1poweruser.com>
To:        "Chris Knipe" <savage@savage.za.org>, <freebsd-questions@lists.freebsd.org>
Subject:   RE: ipf out rule
Message-ID:  <MIEPLLIBMLEEABPDBIEGIENLHDAA.bob@a1poweruser.com>
In-Reply-To: <001901c54ea0$ee58ad50$0a01a8c0@ops.cenergynetworks.com>

next in thread | previous in thread | raw e-mail | index | archive | help
When asking for help with firewall rules you have to post complete
content of firewall rule set file because some previous rule may be
dropping all packets. If this is your complete rule set them you are
missing the mandatory L0 interface rule to pass quick all.  rl0 must
be Nic connected to public internet. x.x.x.120/29 is ip address
range of pc's on private LAN behind firewall. This is not much of
firewall with everything being allowed out.  You could replace all
of these meaning less statements with   pass quick all from any to
any

You really need to read firewall section of the official handbook.
It has working examples of ipf.rules rule set along with detailed
explanation of how to build firewall rules.

-----Original Message-----
From: owner-freebsd-questions@freebsd.org
[mailto:owner-freebsd-questions@freebsd.org]On Behalf Of Chris Knipe
Sent: Sunday, May 01, 2005 6:56 PM
To: freebsd-questions@lists.freebsd.org
Subject: ipf out rule


Hi,

Can anyone take a minute to just explain to me why ipf is blocking
this...

ipf.rules:
# rl0 - Outgoing
pass out quick on rl0 proto tcp from x.x.x.120/29 to any flags S
keep state
keep frags
pass out quick on rl0 proto udp from x.x.x.120/29 to any keep state
keep
frags
pass out quick on rl0 proto icmp from x.x.x.120/29 to any keep state
keep
frags
block out log quick on rl0 all

ipftest:
opening rule file "ipf.new"
in on rl0 tcp 196.25.1.1,2210 x.x.x.122,22
input: in on rl0 tcp 196.25.1.1,2210 x.x.x.122,22
pass ip 40(20) 6 196.25.1.1,2210 > x.x.x.122,22
--------------
out on rl0 tcp x.x.x.122,22 196.25.1.1,2210
input: out on rl0 tcp x.x.x.122,22 196.25.1.1,2210
block ip 40(20) 6 x.x.x.122,22 > 196.25.1.1,2210

Thanks.


--
Chris.

I love deadlines. I especially love the whooshing sound they make as
they
fly by..." - Douglas Adams, 'Hitchhiker's Guide to the Galaxy'

_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to
"freebsd-questions-unsubscribe@freebsd.org"



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?MIEPLLIBMLEEABPDBIEGIENLHDAA.bob>