Date: Wed, 18 Dec 2002 13:17:32 +1100 (EST) From: =?iso-8859-1?q?Keith=20Spencer?= <bsd2000au@yahoo.com.au> To: Fernando Gleiser <fgleiser@cactus.fi.uba.ar> Cc: fbsd <freebsd-questions@freebsd.org> Subject: More..Re: ipf -> IPFILTER_DEFAULT_BLOCK ...This is not working as predicted! Help? Message-ID: <20021218021732.83180.qmail@web12002.mail.yahoo.com> In-Reply-To: <20021217194625.K52840-100000@cactus.fi.uba.ar>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi again, OK what I meant was apart from having changed an interface (tun0 not ed0) the ruleset is identical. And the rule set works! It dials out everything...It only works iff the default_block option is not active. As you can see quick is there. So how can it be that I do exactly what Marty S does and no one else reports hassles with it? Any clues Fer et al? Keith > What's your internal interface? what's your external > one? Is this box > acting as a router? are you using user ppp or mpd? > How many NICs does > this box have? > > It seems to me that your ruleset is incomplete. Send > the output of a > 'ifconfig -a' after the ppp link is set up (when you > got the public IP) > > > > Fer > > > > > > --- Fernando Gleiser <fgleiser@cactus.fi.uba.ar> > > wrote: > On Tue, 17 Dec 2002, Keith Spencer wrote: > > > > > > > Hi all, > > > > Marty Schlacter is obviously the man. I am > > > following > > > > his firewall tute religiously but I am doing > > > something > > > > wrong! > > > > I have an ipf.rules EXACTLY like his. Works a > > > > treat...but only if I remove the kernel > > > > ipfilter_default_block option. > > > > If it is in there...it blocks way too well. > > > > Everything. > > > > What is going on here or has Marty got it all > > > wrong? > > > > > > Are you using the 'quick' keyword? If you don't, > ipf > > > uses a last-match > > > checking, and the last rule is 'block all' > > > > > > See the IPF HOWTO for details. > > > > > > > > +++++++++++ipf.rules++++++++++++++++++++++++++++++ > > > > > ###################################################### > > > > # Inside Interface > > > ##################################################### > > > #---------------------------------------------------------------- > > > > # Allow out all TCP, UDP, and ICMP traffic & keep > > state > > > #---------------------------------------------------------------- > > > > pass out quick on ed1 proto tcp from any to any > keep > > state > > pass out quick on ed1 proto udp from any to any > keep > > state > > pass out quick on ed1 proto icmp from any to any > keep > > state > > block out quick on ed1 all > > > > > #---------------------------------------------------------------- > > # Allow in all TCP, UDP, and ICMP traffic & keep > state > > > > > #---------------------------------------------------------------- > > > > pass in quick on ed1 proto tcp from any to any > keep > > state > > pass in quick on ed1 proto udp from any to any > keep > > state > > pass in quick on ed1 proto icmp from any to any > keep > > state > > block in quick on ed1 all > > > > > ################################################################# > > > > # Loopback Interface > > > ################################################################# > > > > > > > #---------------------------------------------------------------- > > > > # Allow everything to/from your loopback interface > so > > you > > # can ping yourself (e.g. ping localhost) > > > #---------------------------------------------------------------- > > > > pass in quick on lo0 all > > pass out quick on lo0 all > > > > > > > > http://greetings.yahoo.com.au - Yahoo! Greetings > > - Send your seasons greetings online this year! > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-questions" in the body of > the message http://greetings.yahoo.com.au - Yahoo! Greetings - Send your seasons greetings online this year! To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20021218021732.83180.qmail>