Date: Sat, 25 Sep 2004 18:57:18 +0200 From: Max Laier <max@love2party.net> To: freebsd-pf@freebsd.org Cc: AndygreenNet@netscape.net Subject: Re: Can't access rsh listen on lo0 Message-ID: <200409251857.29746.max@love2party.net> In-Reply-To: <3DF5ED57.7064152C.0C457E44@netscape.net> References: <3DF5ED57.7064152C.0C457E44@netscape.net>
next in thread | previous in thread | raw e-mail | index | archive | help
--nextPart45672835.XE09iZkaOT
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline
On Saturday 25 September 2004 06:08, AndygreenNet@netscape.net wrote:
> Hello freebsd-pf,
>
> Help me please.
>
> I have:
> FreeBSD 5_2_1
> pf-freebsd-2.03
=46irst of all ... to *everybody*: If you want a production use box with pf=
-=20
please move to a 5.3-BETA installation and get pf out of the box. If you ar=
e=20
worried with stability set debug.mpsafenet=3D0 (PREEMPTION and ULE are off =
by=20
default). You won't regret it!
> I'm tried to access rsh listen on lo0.
> Connection interrupts with messages:
> rsh: Connection timeout;
> or
> rsh: Connection reset by peer.
That is a fairly complicated ruleset you have there, I have some troubles=20
reading it. But you might want to try the following:
> My pf.conf.
>
> # Macros: define common values, so they can be referenced and changed
> easily. ext_if=3D"{ vlan1, fxp2 }" # replace with actual external
> interface name i.e., dc0
> int_if=3D"fxp0" # replace with actual internal interface name i=
=2Ee.,
> dc1 ext_bridge_if=3D"{ vlan0, vlan2, vlan3 }"
unfiltered=3D"{ lo0 }"
> int_bridge_if=3D"{ xl0, vlan4, vlan5 }"
> internal_net_TTK=3D"62.33.196.128/25"
> internal_net_RT_COMM=3D"213.59.235.120/29"
> external_addr_TTK=3D"62.33.196.254"
> external_addr_RT_COMM=3D"213.59.128.130"
> restricted_ports=3D"{ 135, 136, 137, 138, 139, 445 }"
> allow_tcp_ports=3D"{ ftp, ftp-data, ssh, smtp, domain, http, pop3, ntp, i=
map,
> https, snpp, > 1023}"
> allow_udp_ports=3D"{ domain, > 1023}"
> ARP_in=3D"inet proto { tcp, udp } from any port uarps to any port > 1023"
> ARP_out=3D"inet proto { tcp, udp } from any port > 1023 to any port uarps"
>
> # Options: tune the behavior of pf, default values are given.
> set timeout { interval 10, frag 30 }
> set timeout { tcp.first 120, tcp.opening 30, tcp.established 86400 }
> set timeout { tcp.closing 900, tcp.finwait 45, tcp.closed 90 }
> set timeout { udp.first 60, udp.single 30, udp.multiple 60 }
> set timeout { icmp.first 20, icmp.error 10 }
> set timeout { other.first 60, other.single 30, other.multiple 60 }
> set timeout { adaptive.start 0, adaptive.end 0 }
> set limit { states 10000, frags 5000 }
> set loginterface none
> set optimization normal
> set block-policy drop
> set require-order yes
> set fingerprints "/usr/local/etc/pf.os"
>
> # Normalization: reassemble fragments and resolve or reduce traffic
> ambiguities. scrub in all
>
> # spamd-setup puts addresses to be redirected into table <spamd>.
> table <spamd> persist
> no rdr on lo0 from any to any
> rdr inet proto tcp from <spamd> to any port smtp -> 127.0.0.1 port 8025
>
#Allow loopback and friends
pass quick on $unfiltered
> # Filtering: external interfaces
> block in log quick on $ext_if inet proto { tcp, udp } from any to any port
> $restricted_ports
> pass in on $ext_if inet proto icmp from any to any icmp-type { 0, 8 }
> pass in quick on $ext_if inet proto tcp from any to any port
> $allow_tcp_ports pass in quick on $ext_if inet proto udp from any port
> $allow_udp_ports to any port $allow_udp_ports
> pass out on $ext_if inet proto icmp from any to any icmp-type { 0, 8 }
> pass out quick on $ext_if inet proto tcp from any port $allow_tcp_ports to
> any pass out quick on $ext_if inet proto udp from any port $allow_udp_por=
ts
> to any port $allow_udp_ports
>
> # Filtering: external bridge interfaces
> block in log quick on $ext_bridge_if inet proto { tcp, udp } from any to
> any port $restricted_ports
> pass in quick on $ext_bridge_if $ARP_in
> pass in on $ext_bridge_if inet proto icmp from any to any icmp-type { 0, 8
> } pass in quick on $ext_bridge_if inet proto { tcp, udp } from any to any
> pass out quick on $ext_bridge_if $ARP_out
> pass out on $ext_bridge_if inet proto icmp from any to any icmp-type { 0,=
8
> } pass out quick on $ext_bridge_if inet proto { tcp, udp } from any to a=
ny
>
> # Filtering internal interfaces with keep state, logging blocked packets.
> block in log on $int_if all
> pass in quick on $int_if $ARP_out keep state
> pass in quick on $int_if inet proto icmp all icmp-type { 0, 8 } keep state
> pass in quick on $int_if inet proto tcp from { $internal_net_TTK,
> $internal_net_RT_COMM } port $allow_tcp_ports to any keep st
> ate
> pass in quick on $int_if inet proto udp from { $internal_net_TTK,
> $internal_net_RT_COMM } port $allow_udp_ports to any port $a
> llow_udp_ports keep state
>
> # Filtering internal bridge interfaces with keep state, logging blocked
> packets. block in log on $int_bridge_if all
> pass in quick on $int_bridge_if $ARP_out keep state
> pass in quick on $int_bridge_if inet proto icmp all icmp-type { 0, 8 } ke=
ep
> state pass in quick on $int_bridge_if inet proto { tcp, udp } from any to
> any keep state
>
> Where I was mistaken.
Not sure ... $pfctl -vsr and pflog0 may tell you.
=2D-=20
/"\ Best regards, | mlaier@freebsd.org
\ / Max Laier | ICQ #67774661
X http://pf4freebsd.love2party.net/ | mlaier@EFnet
/ \ ASCII Ribbon Campaign | Against HTML Mail and News
--nextPart45672835.XE09iZkaOT
Content-Type: application/pgp-signature
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (FreeBSD)
iD8DBQBBVaN5XyyEoT62BG0RAoHbAJ4xYzYn0QtzC6QFBbF1AMigICiY9wCeNnXb
Gj7qVne+cW1chL9C/2NyFYM=
=7/jP
-----END PGP SIGNATURE-----
--nextPart45672835.XE09iZkaOT--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200409251857.29746.max>