Date: Wed, 10 Apr 2002 04:13:22 +0700 From: "Somphol B." <somphol@gits.net.th> To: <freebsd-questions@freebsd.org> Subject: IPFILTER Message-ID: <011c01c1e00b$625b57a0$cc9a96cb@ple>
next in thread | raw e-mail | index | archive | help
[-- Attachment #1 --] I am running FreeBSD 4.5-Release on a machine with 2 NICs. I have setup the IPFILTER (to protect the host) with the following rules. It is fine for a few hours or sometimes a few days, then my machine was misteriously frozen. I could ping, but couldn't ssh to the host. Logging in to the host, I couldn't even do nslookup. BTW, when the machine froze, the log does show that packets were blocked heavily. Am I missing something obvious here? #Tto reread the fule # /sbin/ipf -Fa -f /etc/ipf.rules # pass in quick on lo0 pass out quick on lo0 #### allow pass out pass out quick proto tcp all keep state pass out quick proto udp all keep state pass out quick proto icmp all keep state #### OK allow HTTP (web) pass in quick on fxp0 proto tcp from any to x.x.x.x/26 port = 80 keep state pass in quick on fxp1 proto tcp from any to x.x.x.x/25 port = 80 keep state # allow icmp echo request pass in quick on fxp0 proto icmp from any to any icmp-type 8 keep state pass in quick on fxp1 proto icmp from any to any icmp-type 8 keep state # allow icmp echo reply pass in quick on fxp0 proto icmp from any to any icmp-type 0 keep state pass in quick on fxp1 proto icmp from any to any icmp-type 0 keep state # allow various icmp codes pass in quick on fxp0 proto icmp from any to any icmp-type 3 keep state pass in quick on fxp1 proto icmp from any to any icmp-type 3 keep state # allow time-exceeded pass in quick on fxp0 proto icmp from any to any icmp-type 11 keep state pass in quick on fxp1 proto icmp from any to any icmp-type 11 keep state ### OK allow SSH pass in quick on fxp0 proto tcp from any to x.x.x.x/26 port = 22 keep state pass in quick on fxp1 proto tcp from any to x.x.x.x/25 port = 22 keep state ### OK allow SMTP pass in quick on fxp0 proto tcp from any to x.x.x.x/26 port = 25 keep state pass in quick on fxp1 proto tcp from any to x.x.x.x/25 port = 25 keep state ### OK allow IMAP pass in quick on fxp0 proto tcp from any to x.x.x.x/26 port = 143 keep state pass in quick on fxp1 proto tcp from any to x.x.x.x/25 port = 143 keep state ### OK allow POP3 pass in quick on fxp0 proto tcp from any to x.x.x.x/26 port = 110 keep state pass in quick on fxp1 proto tcp from any to x.x.x.x/25 port = 110 keep state ### OK allow IMAPSSL pass in quick on fxp0 proto tcp from any to x.x.x.x/26 port = 993 keep state pass in quick on fxp1 proto tcp from any to x.x.x.x/25 port = 993 keep state ### OK allow POPSSL pass in quick on fxp0 proto tcp from any to x.x.x.x/26 port = 995 keep state pass in quick on fxp1 proto tcp from any to x.x.x.x/25 port = 995 keep state ### OK allow active FTP pass in quick on fxp0 proto tcp from x.x.x.x/25 to x.x.x.x/26 port = 21 keep state pass in quick on fxp1 proto tcp from x.x.x.x/25 to x.x.x.x/25 port = 21 keep state pass in quick on fxp0 proto tcp from x.x.x.x/26 to x.x.x.x/26 port = 21 keep state pass in quick on fxp1 proto tcp from x.x.x.x/26 to x.x.x.x/25 port = 21 keep state ### allow passive FTP (see -U for man ftpd) ### allow port 1024 - 4999 for passive FTP pass in quick on fxp0 proto tcp from x.x.x.x/25 to x.x.x.x/26 port 1024 >< 4999 keep state ### allow passive FTP (see -U for man ftpd) ### allow port 1024 - 4999 for passive FTP pass in quick on fxp0 proto tcp from x.x.x.x/25 to x.x.x.x/26 port 1024 >< 4999 keep state pass in quick on fxp1 proto tcp from x.x.x.x/25 to x.x.x.x/25 port 1024 >< 4999 keep state pass in quick on fxp0 proto tcp from x.x.x.x/26 to x.x.x.x/26 port 1024 >< 4999 keep state pass in quick on fxp1 proto tcp from x.x.x.x/26 to x.x.x.x/25 port 1024 >< 4999 keep state block in log quick proto tcp from any to any block in log quick all Somphol. [-- Attachment #2 --] <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML><HEAD> <META http-equiv=Content-Type content="text/html; charset=windows-874"> <META content="MSHTML 5.50.4207.2601" name=GENERATOR> <STYLE></STYLE> </HEAD> <BODY bgColor=#d8d0c8> <DIV><FONT face=Arial size=2>I am running FreeBSD 4.5-Release on a machine with 2 NICs. I have setup the IPFILTER (to protect the host) with the following rules. It is fine for a few hours or sometimes a few days, then my machine was misteriously frozen. I could ping, but couldn't ssh to the host. Logging in to the host, I couldn't even do nslookup. BTW, when the machine froze, the log does show that packets were blocked heavily.</FONT></DIV> <DIV><FONT face=Arial size=2></FONT> </DIV> <DIV><FONT face=Arial size=2>Am I missing something obvious here?</FONT></DIV> <DIV><FONT face=Arial size=2> </FONT></DIV> <DIV><FONT face=Arial size=2>#Tto reread the fule<BR># /sbin/ipf -Fa -f /etc/ipf.rules<BR>#<BR>pass in quick on lo0<BR>pass out quick on lo0</FONT></DIV> <DIV><FONT face=Arial size=2></FONT> </DIV> <DIV><FONT face=Arial size=2>#### allow pass out<BR>pass out quick proto tcp all keep state<BR>pass out quick proto udp all keep state<BR>pass out quick proto icmp all keep state</FONT></DIV> <DIV><FONT face=Arial size=2></FONT> </DIV> <DIV><FONT face=Arial size=2>#### OK allow HTTP (web)<BR>pass in quick on fxp0 proto tcp from any to x.x.x.x/26 port = 80 keep state<BR>pass in quick on fxp1 proto tcp from any to x.x.x.x/25 port = 80 keep state</FONT></DIV> <DIV><FONT face=Arial size=2></FONT> </DIV> <DIV><FONT face=Arial size=2># allow icmp echo request<BR>pass in quick on fxp0 proto icmp from any to any icmp-type 8 keep state<BR>pass in quick on fxp1 proto icmp from any to any icmp-type 8 keep state<BR># allow icmp echo reply<BR>pass in quick on fxp0 proto icmp from any to any icmp-type 0 keep state<BR>pass in quick on fxp1 proto icmp from any to any icmp-type 0 keep state<BR># allow various icmp codes<BR>pass in quick on fxp0 proto icmp from any to any icmp-type 3 keep state<BR>pass in quick on fxp1 proto icmp from any to any icmp-type 3 keep state<BR># allow time-exceeded<BR>pass in quick on fxp0 proto icmp from any to any icmp-type 11 keep state<BR>pass in quick on fxp1 proto icmp from any to any icmp-type 11 keep state</FONT></DIV> <DIV><FONT face=Arial size=2></FONT> </DIV> <DIV><FONT face=Arial size=2>### OK allow SSH<BR>pass in quick on fxp0 proto tcp from any to x.x.x.x/26 port = 22 keep state<BR>pass in quick on fxp1 proto tcp from any to x.x.x.x/25 port = 22 keep state</FONT></DIV> <DIV><FONT face=Arial size=2></FONT> </DIV> <DIV><FONT face=Arial size=2>### OK allow SMTP<BR>pass in quick on fxp0 proto tcp from any to x.x.x.x/26 port = 25 keep state<BR>pass in quick on fxp1 proto tcp from any to x.x.x.x/25 port = 25 keep state</FONT></DIV> <DIV><FONT face=Arial size=2></FONT> </DIV> <DIV><FONT face=Arial size=2>### OK allow IMAP<BR>pass in quick on fxp0 proto tcp from any to x.x.x.x/26 port = 143 keep state<BR>pass in quick on fxp1 proto tcp from any to x.x.x.x/25 port = 143 keep state</FONT></DIV> <DIV><FONT face=Arial size=2></FONT> </DIV> <DIV><FONT face=Arial size=2>### OK allow POP3<BR>pass in quick on fxp0 proto tcp from any to x.x.x.x/26 port = 110 keep state<BR>pass in quick on fxp1 proto tcp from any to x.x.x.x/25 port = 110 keep state</FONT></DIV> <DIV><FONT face=Arial size=2></FONT> </DIV> <DIV><FONT face=Arial size=2>### OK allow IMAPSSL<BR>pass in quick on fxp0 proto tcp from any to x.x.x.x/26 port = 993 keep state<BR>pass in quick on fxp1 proto tcp from any to x.x.x.x/25 port = 993 keep state<BR>### OK allow POPSSL<BR>pass in quick on fxp0 proto tcp from any to x.x.x.x/26 port = 995 keep state<BR>pass in quick on fxp1 proto tcp from any to x.x.x.x/25 port = 995 keep state</FONT></DIV> <DIV><FONT face=Arial size=2></FONT> </DIV> <DIV><FONT face=Arial size=2>### OK allow active FTP<BR>pass in quick on fxp0 proto tcp from x.x.x.x/25 to x.x.x.x/26 port = 21 keep state<BR>pass in quick on fxp1 proto tcp from x.x.x.x/25 to x.x.x.x/25 port = 21 keep state<BR>pass in quick on fxp0 proto tcp from x.x.x.x/26 to x.x.x.x/26 port = 21 keep state<BR>pass in quick on fxp1 proto tcp from x.x.x.x/26 to x.x.x.x/25 port = 21 keep state</FONT></DIV> <DIV><FONT face=Arial size=2></FONT> </DIV> <DIV><FONT face=Arial size=2>### allow passive FTP (see -U for man ftpd)<BR>### allow port 1024 - 4999 for passive FTP<BR>pass in quick on fxp0 proto tcp from x.x.x.x/25 to x.x.x.x/26 port 1024 >< 4999 keep state<BR>### allow passive FTP (see -U for man ftpd)<BR>### allow port 1024 - 4999 for passive FTP<BR>pass in quick on fxp0 proto tcp from x.x.x.x/25 to x.x.x.x/26 port 1024 >< 4999 keep state<BR>pass in quick on fxp1 proto tcp from x.x.x.x/25 to x.x.x.x/25 port 1024 >< 4999 keep state<BR>pass in quick on fxp0 proto tcp from x.x.x.x/26 to x.x.x.x/26 port 1024 >< 4999 keep state<BR>pass in quick on fxp1 proto tcp from x.x.x.x/26 to x.x.x.x/25 port 1024 >< 4999 keep state</FONT></DIV> <DIV><FONT face=Arial size=2></FONT> </DIV> <DIV><FONT face=Arial size=2>block in log quick proto tcp from any to any<BR>block in log quick all<BR></FONT></DIV> <DIV><FONT face=Arial size=2>Somphol.</DIV></FONT> <DIV><FONT face=Arial size=2></FONT> </DIV></BODY></HTML>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?011c01c1e00b$625b57a0$cc9a96cb>