Date: Sat, 18 Aug 2001 01:22:28 -0400 From: "diwelf" <diwelf@gmx.net> To: <freebsd-stable@freebsd.org> Cc: "ipfilter list" <ipfilter@cairo.anu.edu.au> Subject: IPFilter problem on current cvs Message-ID: <000d01c127a5$c674b930$0200000a@jargon>
next in thread | raw e-mail | index | archive | help
[-- Attachment #1 --] [-- Attachment #2 --] # # $FreeBSD: src/sys/i386/conf/GENERIC,v 1.246.2.33 2001/07/30 17:31:40 wpaul Exp $ machine i386 cpu I586_CPU ident LINGO maxusers 512 options NMBCLUSTERS=65536 #makeoptions DEBUG=-g #Build kernel with gdb(1) debug symbols options MATH_EMULATE #Support for x87 emulation options INET #InterNETworking options IPFILTER options IPFILTER_LOG options IPFILTER_DEFAULT_BLOCK options FFS #Berkeley Fast Filesystem options FFS_ROOT #FFS usable as root device [keep this!] options SOFTUPDATES #Enable FFS soft updates support options MFS #Memory Filesystem options MD_ROOT #MD is a potential root device options NFS #Network Filesystem options NFS_ROOT #NFS usable as root device, NFS required options MSDOSFS #MSDOS Filesystem options CD9660 #ISO 9660 Filesystem options CD9660_ROOT #CD-ROM usable as root, CD9660 required options PROCFS #Process filesystem options COMPAT_43 #Compatible with BSD 4.3 [KEEP THIS!] options SCSI_DELAY=15000 #Delay (in ms) before probing SCSI options UCONSOLE #Allow users to grab the console options USERCONFIG #boot -c editor options VISUAL_USERCONFIG #visual boot -c editor options KTRACE #ktrace(1) support options SYSVSHM #SYSV-style shared memory options SYSVMSG #SYSV-style message queues options SYSVSEM #SYSV-style semaphores options P1003_1B #Posix P1003_1B real-time extensions options _KPOSIX_PRIORITY_SCHEDULING options ICMP_BANDLIM #Rate limit bad replies options KBD_INSTALL_CDEV # install a CDEV entry in /dev device isa device eisa device pci # Floppy drives device fdc0 at isa? port IO_FD1 irq 6 drq 2 device fd0 at fdc0 drive 0 # ATA and ATAPI devices device ata0 at isa? port IO_WD1 irq 14 device ata1 at isa? port IO_WD2 irq 15 device ata device atadisk # ATA disk drives device atapifd # ATAPI floppy drives options ATA_STATIC_ID #Static device numbering # atkbdc0 controls both the keyboard and the PS/2 mouse device atkbdc0 at isa? port IO_KBD device atkbd0 at atkbdc? irq 1 flags 0x1 device psm0 at atkbdc? irq 12 device vga0 at isa? # splash screen/screen saver pseudo-device splash # syscons is the default console driver, resembling an SCO console device sc0 at isa? flags 0x100 options VESA # Floating point support - do not disable. device npx0 at nexus? port IO_NPX irq 13 # Power management support (see LINT for more options) device apm0 at nexus? disable flags 0x20 # Advanced Power Management # Serial (COM) ports device sio0 at isa? port IO_COM1 flags 0x10 irq 4 device sio1 at isa? port IO_COM2 irq 3 device sio2 at isa? disable port IO_COM3 irq 5 device sio3 at isa? disable port IO_COM4 irq 9 # Parallel port device ppc0 at isa? irq 7 device ppbus # Parallel port bus (required) device lpt # Printer device ppi # Parallel port interface device # PCI Ethernet NICs. device miibus # MII bus support device dc # DEC/Intel 21143 and various workalikes device rl # RealTek 8129/8139 pseudo-device loop #loop back pseudo-device ether # Ethernet support pseudo-device tun # Packet tunnel. pseudo-device pty # Pseudo-ttys (telnet etc) pseudo-device md # Memory "disks" # The `bpf' pseudo-device enables the Berkeley Packet Filter. # Be aware of the administrative consequences of enabling this! pseudo-device bpf #Berkeley packet filter [-- Attachment #3 --] ## ipf config file. ## created august 16, 2001 ## (c) diwelf & ia ## do whatever the hell you want w/ this. ## diwelf@hotmail.com ## exterior interface rules ## dc0 = world nick # blocking of the RFC network addresses # block in quick on dc0 from 192.168.0.0/16 to any block in quick on dc0 from 172.16.0.0/12 to any # #log connection attemps to localnet # block in log quick on dc0 from 10.0.0.0/8 to any block in quick on dc0 from 127.0.0.0/8 to any block in quick on dc0 from 169.254.0.0/16 to any block in quick on dc0 from 192.0.2.0/24 to any block in quick on dc0 from 204.152.64.0/23 to any block in quick on dc0 from 224.0.0.0/3 to any # block internal network connectivity from the outside # #block in quick on dc0 from 10.0.0.0/8 to any # block spoofing from localhost # block out quick on dc0 from any to 192.168.0.0/16 block out quick on dc0 from any to 172.16.0.0/12 block out quick on dc0 from any to 127.0.0.0/8 block out quick on dc0 from any to 169.254.0.0/16 block out quick on dc0 from any to 192.0.2.0/24 block out quick on dc0 from any to 204.152.64.0/23 block out quick on dc0 from any to 224.0.0.0/3 # log smurf attacks # block in log quick on dc0 from any to 10.0.0.0/32 block in log quick on dc0 from any to 10.0.0.255/32 # for loopback to work # pass out quick on lo0 pass in quick on lo0 # for ping and traceroute to work # pass in quick on dc0 proto icmp from any to 10.0.0.0/8 icmp-type 0 pass in quick on dc0 proto icmp from any to 10.0.0.0/8 icmp-type 11 # log other types of icmp attempts # block in log quick on dc0 proto icmp from any to any # allow ssh from outside and inside # #pass in quick on dc0 proto tcp from any to any port = 22 pass in quick on rl0 proto tcp from 10.0.0.0/8 to any port = 22 # allow in irc servers from outside to connect to ident pass in quick on dc0 proto tcp from any to any port = 113 # allow in web from internal net # #pass in quick on rl0 proto tcp from 10.0.0.0/8 to 10.0.0.1 port = 80 ## outside interface ## # allow out tcp/udp/icmp traffic and keep state pass out quick on dc0 proto tcp from any to any keep state pass out quick on dc0 proto udp from any to any keep state pass out quick on dc0 proto icmp from any to any keep state block out quick on dc0 all #allow bootp to MY dhcmp server pass in quick on dc0 proto udp from 24.2.9.105/32 to any port = 68 keep state #block and log all remaining traffic coming into the firewall block return-rst in log quick on dc0 proto tcp from any to any block return-icmp-as-dest(port-unr) in log quick on dc0 proto udp from any to any block in log quick on dc0 all #inside interface #allow out all tcp/udp/icmp and keep state pass out quick on rl0 proto tcp from any to any keep state pass out quick on rl0 proto udp from any to any keep state pass out quick on rl0 proto icmp from any to any keep state block out quick on rl0 all #allow in tcp/udp/icmp traffic and keep state pass in quick on rl0 proto tcp from any to any keep state pass in quick on rl0 proto udp from any to any keep state pass in quick on rl0 proto icmp from any to any keep state block in quick on rl0 all [-- Attachment #4 --] #for nat to work #map dc0 10.0.0.0/8 -> 0/32 #rdr dc0 10.0.0.0/8 port 6667 -> 127.0.0.1 port 7666 tcp # new test # port map #map dc0 10.0.0.0/8 -> 0/32 portmap tcp/udp 1025><65000 # handle icmp, etc map dc0 10.0.0.0/24 -> 0/32 portmap tcp/udp 40000:60000 map dc0 10.0.0.0/24 -> 0/32 # make ipnat act as an ftp gateway (transparent) #map dc0 10.0.0.0/8 -> 0/32 proxy port ftp ftp/tcp [-- Attachment #5 --] # -- sysinstall generated deltas -- # # Created: Wed Aug 1 18:46:04 2001 # Enable network daemons for user convenience. # This file now contains just the overrides from /etc/defaults/rc.conf # please make all changes to this file. amd_flags="-a /.amd_mnt -l syslog /host /etc/amd.map /net /etc/amd.map" check_quotas="NO" font8x14="NO" font8x16="swiss-8x16" font8x8="/usr/share/syscons/fonts/swiss-8x8" allscreens_flags="-r green black VGA_80x30" gateway_enable="YES" hostname="cr642371-a" network_interfaces="auto" ifconfig_lo0="inet 127.0.0.1" ifconfig_dc0="DHCP" ifconfig_rl0="inet 10.0.0.1 netmask 255.0.0.0" ipfilter_enable="YES" ipmon_enable="YES" ipmon_flags="-Dsvn" ipnat_enable="YES" inetd_enable="YES" kern_securelevel_enable="NO" keyrate="fast" nfs_client_enable="NO" pccard_ifconfig="NO" portmap_enable="NO" sendmail_enable="NO" ntpdate_enable="NO" sshd_enable="YES" syslogd_flags="-ss" sshd_flags="-4" update_motd="NO" #nfs_client_enable="YES" #nfs_client_flgs="-n 4" moused_port="/dev/cuaa0" moused_type="logitech" moused_enable="YES" # -- sysinstall generated deltas -- # saver="star" blanktime="240" [-- Attachment #6 --] vfs.vmiodirenable=1 kern.ipc.somaxconn=4096 kern.maxfiles=65536 net.inet.tcp.log_in_vain=1 #net.inet.udp.log_in_vain=1 net.inet.tcp.sendspace=32768 net.inet.tcp.recvspace=32768 net.inet.icmp.drop_redirect=1 net.inet.icmp.log_redirect=1 net.inet.ip.redirect=0 net.inet.ip.sourceroute=0 net.inet.ip.accept_sourceroute=0 net.link.ether.inet.max_age=1200 net.inet.icmp.bmcastecho=0
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?000d01c127a5$c674b930$0200000a>