From owner-freebsd-questions Sun Jan 13 2:44:11 2002 Delivered-To: freebsd-questions@freebsd.org Received: from viefep14-int.chello.at (viefep14-int.chello.at [213.46.255.13]) by hub.freebsd.org (Postfix) with ESMTP id AED3137B417 for ; Sun, 13 Jan 2002 02:44:06 -0800 (PST) Received: from unet.univie.ac.at ([62.178.142.175]) by viefep14-int.chello.at (InterMail vM.5.01.03.06 201-253-122-118-106-20010523) with ESMTP id <20020113104405.FYZK1236.viefep14-int.chello.at@unet.univie.ac.at> for ; Sun, 13 Jan 2002 11:44:05 +0100 Message-ID: <3C19DB52.9C6A2B5@unet.univie.ac.at> Date: Fri, 14 Dec 2001 11:58:27 +0100 From: Peter Wolkerstorfer X-Mailer: Mozilla 4.73 [de]C-CCK-MCD QXW03240 (Win98; U) X-Accept-Language: de,en MIME-Version: 1.0 To: freebsd-questions@freebsd.org Subject: Re: please help on 1(one) ipf rule - still not working References: <3C187D20.E1901AD5@unet.univie.ac.at> <20020112132633.E31058@b1n.org> <3C190917.AD60F415@unet.univie.ac.at> <20020112232936.A12385@b1n.org> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG BinarySoul wrote: > you dont need any extra rule to your local network to access your > firewall (throgh rl0). this is exactly what i think, also - but it doesn't work. i considered the advice from Crist J. Clark with the loopback device and it won't help also. so i will start all over again from the basics and build a new kernel. (maybe i have missed something important there) THX to all of you for your hints so far! (i hope i don't have to stress your time again with the new kernel, as far as my knowledge goes: in theory my ruleset should work as i want it) peter "wolki" wolkerstorfer p.s: if youre interested - this is how i think it should work: # the first three rules let me do everything from inside to outside # THIS WORKS!!! - even with ssh (and all other stuff like pinging, dns, pop3...) pass out quick on rl1 proto tcp from 192.168.0.0/16 to any flags S/SA keep state pass out quick on rl1 proto udp from 192.168.0.0/16 to any keep state pass out quick on rl1 proto icmp from 192.168.0.0/16 to any keep state # this time i won't kill my loopback so these two rules are insertet # THX to C.J. Clark pass out quick on lo0 all pass in quick on lo0 all # this rule should block all traffic coming from outside EXCEPT all the # answers of all established connections from inside (keep state) block in on rl1 all > > rl1 is the interface to external network, rl0 is internal network. > > > > what i want to do: > > block ALL incoming traffic from the internet (also ssh) but connect to > > the firewall from the internal network. not solved: > > problem: > > i can't ssh-login from INTERNAL network to the firewall (which is > > probably that i cannot ssh-login from 192.168.0.11 to 192.168.0.1; > > 192.168.0.1 is the firewall and the corresponding interface is rl0) > > > > BUT: ..still.. > > i can do everything i want (including SSH) OVER the firewall To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message