Date: Mon, 17 Sep 2001 10:35:48 -0300 (ART) From: Fernando Gleiser <fgleiser@cactus.fi.uba.ar> To: <rene@xs4all.nl> Cc: <questions@freebsd.org> Subject: Re: ping fails (setup: pptp, ppp, adsl (xs4all.nl), ipf, IPv4) Message-ID: <20010917102303.X26392-100000@cactus.fi.uba.ar> In-Reply-To: <20010916164802.I7106@xs4all.nl>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sun, 16 Sep 2001 rene@xs4all.nl wrote: Your ruleset seems overly complex. Are you using an Alcatel modem? For the pptp link to work, you need to allow tcp to port 1723. You can keep state on that connection and block everything else on xl0. pass out on xl0 proto tcp from any to 10.0.0.138 port = 1723 flags S keep state block return-rst in on xl0 proto tcp all for the tun0 rules, do the same: keep state on outgoing connections/packets and block eveything else: pass out quick on tun0 proto tcp all flags S keep state pass out quick on tun0 proto udp all keep state pass out quick on tun0 proto icmp all keep state block return-rst in log quick on tun0 proto tcp all block return-icmp in log quick on tun0 proto udp all block in log quick on tun0 proto icmp all For the NAT rules, if you want to use FTP from behind the firewall, you may want to use the built-in ftp proxy: map tun0 192.168.102.0/24 -> 0/32 proxy port ftp ftp/tcp if you have more than one machine behind the firewall it is better to use "portmap": map tun0 192.168.102.0/24 -> 0/32 portmap tcp/udp 40000:65000 and finaly, to allow icmp from behind the firewall, use a plain map: map tun0 192.168.102.0/24 -> 0/32 That is basically what I have, and it works. Hope this helps. Fer > allrighty; > > -- /etc/ipf.rules > # Let loopback packets through > pass in quick on lo0 all > pass out quick on lo0 all > > # Disallow direct access to the Alcatel > block out log quick on xl0 from any to 10.0.0.138 port = 21 > block out log quick on xl0 from any to 10.0.0.138 port = 23 > block out log quick on xl0 from any to 10.0.0.138 port = 80 > > # Allow all other communication > pass out quick on xl0 from 10.0.0.139/32 to 10.0.0.138 > pass in quick on xl0 from 10.0.0.138/32 to 10.0.0.139 > > # Anti-spoofing rules > block in log quick on tun0 from 0.0.0.0/8 to any > block in log quick on tun0 from 127.0.0.0/8 to any > block in log quick on tun0 from 10.0.0.0/8 to any > block in log quick on tun0 from 172.16.0.0/12 to any > block in log quick on tun0 from 192.168.0.0/16 to any > block in log quick on tun0 from 169.254.0.0/16 to any > block in log quick on tun0 from 224.0.0.0/3 to any > > # Own IP address > block in log quick on tun0 from 194.109.196.149 to any > > # Traffic from and to local LAN > pass in quick on de0 proto tcp from 192.168.102.0/24 to any keep state > pass in quick on de0 proto udp from 192.168.102.0/24 to any keep state > pass in quick on de0 proto icmp from 192.168.102.0/24 to any keep state > > # (additional rules go here that allow access to the gateway) > pass out quick on de0 proto tcp from any to 192.168.102.0/24 keep state > pass out quick on de0 proto udp from any to 192.168.102.0/24 keep state > pass out quick on de0 proto icmp from any to 192.168.102.0/24 keep state > > # Allow traffic to go out > pass out quick on tun0 proto tcp from any to any keep state > pass out quick on tun0 proto udp from any to any keep state > pass out quick on tun0 proto icmp from any to any keep state > > --- /etc/ipnat.rules > map lo0 192.168.102.0/24 -> 0/32 > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010917102303.X26392-100000>