Date: Wed, 02 Jun 2004 15:12:20 +0000 From: Randy Babb <randy@insipidity.co.uk> To: FreeBSD Questions <freebsd-questions@freebsd.org> Subject: IPFILTER Rules Message-ID: <1086188875.5101.29.camel@localhost>
next in thread | raw e-mail | index | archive | help
Hi, I'm just learning how to use IPFilter and I'm having some trouble. I hope someone can help me. I have a server running on my LAN I'm trying to set up some rules on, they are basically the same as the ones in Absolute BSD by Michael Lucas. The server is running two instances of Apache (on port 80 and 81, the latter should only be accessible from my machine through the LAN), a POP3 server, the SSH daemon, an FTP server and a proxy server (Squid). When I use these rules all my connections to the server are really slow, except to both instances of Apache for some reason - those are normal. For instance, a connection to the POP3 server would usually be established almost instantly, but now it takes around 80 seconds. If I just use the rules "pass in all" and "pass out all" it works fine, so it is definitely a problem with my rules. Here are the rules: block in log quick from any to any with ipopts block in log quick proto tcp from any to any with short pass in quick on lo0 all pass out quick on lo0 all pass out on rl0 all head 100 block out from 127.0.0.0/8 to any group 100 block out from any to 127.0.0.0/8 group 100 block out from any to 192.168.1.30 group 100 block in on rl0 all head 200 block in from 127.0.0.0/8 to any group 200 block in from 192.168.1.30 to any group 200 pass in quick proto tcp from any to any port = www keep state group 200 pass in quick proto tcp from any to any port = pop3 keep state group 200 pass in quick proto tcp from any to any port = ssh keep state group 200 pass in quick proto tcp from any to any port = ftp keep state group 200 pass in quick proto tcp from any to any port = 8080 keep state group 200 pass in quick proto tcp from 192.168.1.40 to any port = 81 keep state group 200 block return-rst in log proto tcp from any to any flags S/SA group 200 block return-icmp(net-unr) in proto udp all group 200 That last "group 200" is on the end of the previous line, it has just been wrapped in my email client. Thanks, Randy
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1086188875.5101.29.camel>