From owner-freebsd-questions@FreeBSD.ORG Sun May 1 23:56:54 2005 Return-Path: Delivered-To: freebsd-questions@www.freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D77C116A4CE for ; Sun, 1 May 2005 23:56:54 +0000 (GMT) Received: from mx2.freebsd.org (mx2.freebsd.org [216.136.204.119]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9FE2643D2D for ; Sun, 1 May 2005 23:56:54 +0000 (GMT) (envelope-from bob@a1poweruser.com) Received: from hub.freebsd.org (hub.freebsd.org [216.136.204.18]) by mx2.freebsd.org (Postfix) with ESMTP id 0920755449 for ; Sun, 1 May 2005 23:56:54 +0000 (GMT) (envelope-from bob@a1poweruser.com) Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0445C16A4CE for ; Sun, 1 May 2005 23:56:54 +0000 (GMT) Received: from mta10.adelphia.net (mta10.adelphia.net [68.168.78.202]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5A54C43D2D for ; Sun, 1 May 2005 23:56:53 +0000 (GMT) (envelope-from bob@a1poweruser.com) Received: from barbish ([69.172.31.81]) by mta10.adelphia.net (InterMail vM.6.01.04.01 201-2131-118-101-20041129) with SMTP id <20050501235652.LLPG17140.mta10.adelphia.net@barbish>; Sun, 1 May 2005 19:56:52 -0400 From: To: "Chris Knipe" , Date: Sun, 1 May 2005 19:56:47 -0400 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.6604 (9.0.2911.0) In-Reply-To: <001901c54ea0$ee58ad50$0a01a8c0@ops.cenergynetworks.com> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1409 Importance: Normal Subject: RE: ipf out rule X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: bob@a1poweruser.com List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 01 May 2005 23:56:55 -0000 When asking for help with firewall rules you have to post complete content of firewall rule set file because some previous rule may be dropping all packets. If this is your complete rule set them you are missing the mandatory L0 interface rule to pass quick all. rl0 must be Nic connected to public internet. x.x.x.120/29 is ip address range of pc's on private LAN behind firewall. This is not much of firewall with everything being allowed out. You could replace all of these meaning less statements with pass quick all from any to any You really need to read firewall section of the official handbook. It has working examples of ipf.rules rule set along with detailed explanation of how to build firewall rules. -----Original Message----- From: owner-freebsd-questions@freebsd.org [mailto:owner-freebsd-questions@freebsd.org]On Behalf Of Chris Knipe Sent: Sunday, May 01, 2005 6:56 PM To: freebsd-questions@lists.freebsd.org Subject: ipf out rule Hi, Can anyone take a minute to just explain to me why ipf is blocking this... ipf.rules: # rl0 - Outgoing pass out quick on rl0 proto tcp from x.x.x.120/29 to any flags S keep state keep frags pass out quick on rl0 proto udp from x.x.x.120/29 to any keep state keep frags pass out quick on rl0 proto icmp from x.x.x.120/29 to any keep state keep frags block out log quick on rl0 all ipftest: opening rule file "ipf.new" in on rl0 tcp 196.25.1.1,2210 x.x.x.122,22 input: in on rl0 tcp 196.25.1.1,2210 x.x.x.122,22 pass ip 40(20) 6 196.25.1.1,2210 > x.x.x.122,22 -------------- out on rl0 tcp x.x.x.122,22 196.25.1.1,2210 input: out on rl0 tcp x.x.x.122,22 196.25.1.1,2210 block ip 40(20) 6 x.x.x.122,22 > 196.25.1.1,2210 Thanks. -- Chris. I love deadlines. I especially love the whooshing sound they make as they fly by..." - Douglas Adams, 'Hitchhiker's Guide to the Galaxy' _______________________________________________ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org"