From owner-freebsd-questions Sat Jan 12 17:29:50 2002 Delivered-To: freebsd-questions@freebsd.org Received: from b1n.org (200-171-41-43.dsl.telesp.net.br [200.171.41.43]) by hub.freebsd.org (Postfix) with ESMTP id E4B1D37B402 for ; Sat, 12 Jan 2002 17:29:42 -0800 (PST) Received: by b1n.org (Postfix, from userid 1000) id 2360E8111; Sat, 12 Jan 2002 23:29:37 -0200 (BRST) Date: Sat, 12 Jan 2002 23:29:36 -0200 From: BinarySoul To: Peter Wolkerstorfer Cc: freebsd-questions@freebsd.org Subject: Re: please help on 1(one) ipf rule - still not working Message-ID: <20020112232936.A12385@b1n.org> References: <3C187D20.E1901AD5@unet.univie.ac.at> <20020112132633.E31058@b1n.org> <3C190917.AD60F415@unet.univie.ac.at> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <3C190917.AD60F415@unet.univie.ac.at>; from a9203537@unet.univie.ac.at on Thu, Dec 13, 2001 at 09:01:27PM +0100 X-Operating-System: OpenBSD 3.0 (i386) Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Peter, IMHO, this rules: > pass out quick on rl1 proto tcp from 192.168.0.0/16 to any flags S/SA > keep state > pass out quick on rl1 proto udp from 192.168.0.0/16 to any keep state > pass out quick on rl1 proto icmp from 192.168.0.0/16 to any keep state are wrong. Because your internal network cant reach your external interface (rl1). If you want to block everything externally (throgh rl1) going to your firewall. Just do something like: block in on rl1 all but remember, doing that so, your firewall will never receive icmp echo-replies, or solve names (even if you run named in your firewall, you still need to solve the root name servers). you dont need any extra rule to your local network to access your firewall (throgh rl0). Peter Wolkerstorfer (a9203537@unet.univie.ac.at) wrote: > dear listmembers, > > THX to BinarySoul and Mark Woodson for their hints. with their info i > adopted the ipf.rules (ipf v.3.4.20 on fbsd 4.4.) like this: > > pass out quick on rl1 proto tcp from 192.168.0.0/16 to any flags S/SA > keep state > pass out quick on rl1 proto udp from 192.168.0.0/16 to any keep state > pass out quick on rl1 proto icmp from 192.168.0.0/16 to any keep state > block in on rl1 all > > rl1 is the interface to external network, rl0 is internal network. > > what i want to do: > block ALL incoming traffic from the internet (also ssh) but connect to > the firewall from the internal network. > > problem: > i can't ssh-login from INTERNAL network to the firewall (which is > probably that i cannot ssh-login from 192.168.0.11 to 192.168.0.1; > 192.168.0.1 is the firewall and the corresponding interface is rl0) > > BUT: > i can do everything i want (including SSH) OVER the firewall > > i tried > pass in quick on rl0 all > before the block > to let me in with ssh on the rl0 interface but it also didn't work; > > any ideas? > > THX in advance > peter "wolki" wolkerstorfer > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-questions" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message