From owner-freebsd-questions  Tue Aug 11 01:05:34 1998
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id BAA24882
          for freebsd-questions-outgoing; Tue, 11 Aug 1998 01:05:34 -0700 (PDT)
          (envelope-from owner-freebsd-questions@FreeBSD.ORG)
Received: from smtp1.xs4all.nl (smtp1.xs4all.nl [194.109.6.51])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id BAA24855
          for <freebsd-questions@FreeBSD.ORG>; Tue, 11 Aug 1998 01:05:26 -0700 (PDT)
          (envelope-from arnout@tomcat.xs4all.nl)
Received: from tomcat.xs4all.nl (tomcat.xs4all.nl [194.109.15.187])
	by smtp1.xs4all.nl (8.8.8/8.8.8) with ESMTP id KAA06000;
	Tue, 11 Aug 1998 10:04:58 +0200 (CEST)
Received: (from arnout@localhost)
	by tomcat.xs4all.nl (8.9.1/8.9.1) id KAA03182;
	Tue, 11 Aug 1998 10:06:43 +0200 (CEST)
Message-ID: <19980811100643.36215@xs4all.nl>
Date: Tue, 11 Aug 1998 10:06:43 +0200
From: Arnout Boer <arnout@xs4all.nl>
To: Doug White <dwhite@resnet.uoregon.edu>
Cc: freebsd-questions@FreeBSD.ORG
Subject: Re: smtp mail and user ppp filters
References: <199808081213.OAA03128@tomcat.xs4all.nl> <Pine.BSF.4.00.9808101655360.29015-100000@resnet.uoregon.edu>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Mailer: Mutt 0.89i
In-Reply-To: <Pine.BSF.4.00.9808101655360.29015-100000@resnet.uoregon.edu>; from Doug White on Mon, Aug 10, 1998 at 04:55:58PM -0700
X-Operating-System: FreeBSD 2.2.7-STABLE i386
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

Hi there!

> > I've got the strange feeling  that I have incorrect filter rules.
> > But I couldn't find the correct ones in the handbook or
> > the config files.
> > Especially for smtp mail...
> > Kan anybody send me a complete set of there filter rules which
> > do work so I can find out what I'm doing wrong!?
> 
> What kind of filtering are you trying to do?  
> 
> We can look at your existing rules...

Ok.. here they are:
mail won't come in (smtp) and a portscan delivers nothing!
I think I've overlooked something
> 
# ppp.conf
#
# If we don't want ICMP and DNS packets to keep the connection alive:
#
    set filter alive 0 deny icmp
    set filter alive 1 deny udp src eq 53
    set filter alive 2 deny udp dst eq 53
    set filter alive 3 deny udp src eq 520 
    set filter alive 4 deny udp dst eq 520 
    set filter alive 5 deny udp src eq 137 
    set filter alive 6 deny udp dst eq 137 
    set filter alive 7 deny udp src eq 138 
    set filter alive 8 deny udp dst eq 138 
    set filter alive 9 deny udp src eq 139 
    set filter alive 10 deny udp dst eq 139 
    set filter alive 11 permit 0/0 0/0
#
# And we don't want ICMPs to cause a dialup:
#
    set filter dial 0 deny icmp
    set filter dial 1 deny udp src eq 53
    set filter dial 2 deny udp dst eq 53
    set filter dial 3 deny udp src eq 137
    set filter dial 4 deny udp dst eq 137
    set filter dial 5 deny udp src eq 138
    set filter dial 6 deny udp dst eq 138
    set filter dial 7 deny udp src eq 139
    set filter dial 8 deny udp dst eq 139

#
# or any TCP SYN or RST packets (badly closed TCP channels):
#
    set filter dial 9 deny 0 0 tcp syn finrst

# Finally
    set filter dial 10 permit 0/0 0/0


# Once the line's up, allow connections for ident (113), telnet (23),
# ftp (20 & 21), DNS (53), my place of work (192.244.191.0/24),
# ICMP (ping) and traceroute (>33433).
#
# Anything else is blocked by default
#
   set filter in  0 permit tcp dst eq 113
   set filter out 0 permit tcp src eq 113
   set filter in  1 permit tcp src eq 23 estab
   set filter out 1 permit tcp dst eq 23
   set filter in  2 permit tcp src eq 21 estab
   set filter out 2 permit tcp dst eq 21
   set filter in  3 permit tcp src eq 20 dst gt 1023
    set filter out 3 permit tcp dst eq 20
    set filter in  4 permit udp src eq 53
    set filter out 4 permit udp dst eq 53
    set filter in  5 permit icmp
    set filter out 5 permit icmp
    set filter in  6 permit udp dst gt 33433
    set filter out 6 permit udp src gt 33433
    set filter out 7 permit tcp dst eq 25 
    set filter in  7 permit tcp src eq 25 estab
    set filter in  8 permit 0/0 192.168.0.1/24
    set filter out 8 permit 192.168.0.1/24 0/0
    set filter in  9 permit udp src eq 22
    set filter out 9 permit udp dst eq 22
    set filter out 10 permit tcp dst eq 22
    set filter in  10 permit tcp src eq 22
    set filter in  11 permit udp src eq 119 
    set filter out 11 permit udp dst eq 119 
    set filter out 12 permit tcp dst eq 119 
    set filter in  12 permit tcp src eq 119 
    set filter in  14 permit udp src eq 110 
    set filter out 14 permit udp dst eq 110 
    set filter out 15 permit tcp dst eq 110 
    set filter in  15 permit tcp src eq 110 
    set filter in  16 permit udp src eq 194 
    set filter out 16 permit udp dst eq 194 
    set filter out 18 permit tcp dst eq 194 
    set filter in  18 permit tcp src eq 194 
    set filter out 19 permit tcp src eq 80 
    set filter in  19 permit tcp dst eq 80 


#
# If none of above rules matches, then packet is blocked.

Any suggestions are welcome,

Arnout


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message