From owner-freebsd-stable Mon Dec 16 16: 7:42 2002 Delivered-To: freebsd-stable@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BDC1F37B401 for ; Mon, 16 Dec 2002 16:07:40 -0800 (PST) Received: from eden.barryp.org (host-150-32-220-24.midco.net [24.220.32.150]) by mx1.FreeBSD.org (Postfix) with ESMTP id B30E043EC2 for ; Mon, 16 Dec 2002 16:07:36 -0800 (PST) (envelope-from bp@barryp.org) Received: from [10.66.1.250] (helo=barryp.org) by eden.barryp.org with esmtp (Exim 4.10) id 18O5Gd-000G6Y-00; Mon, 16 Dec 2002 18:07:24 -0600 Message-ID: <3DFE6ABB.3040804@barryp.org> Date: Mon, 16 Dec 2002 18:07:23 -0600 From: Barry Pederson User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.2) Gecko/20021126 X-Accept-Language: en-us, en MIME-Version: 1.0 To: "Robin P. Blanchard" Cc: stable@freebsd.org Subject: Re: ipfilter / ipnat quandry References: <1040064948.3dfe21b49d39a@www.gactr.uga.edu> In-Reply-To: <1040064948.3dfe21b49d39a@www.gactr.uga.edu> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit X-SpamTrack: NO 31 Sender: owner-freebsd-stable@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Robin P. Blanchard wrote: > -STABLE (FreeBSD 4.7-STABLE #0: Mon Nov 25 14:22:58 EST 2002) > gateway/firewall running: > # ipf -V > ipf: IP Filter: v3.4.29 (336) > Kernel: IP Filter: v3.4.29 > Running: yes > Log Flags: 0 = none set > Default: pass all, Logging: available > Active list: 0 > > > The only external port I've allowed in is SSH, yet nmapping the box > yields a slew of purportedly other open ports. Have I broken my > ruleset somewhere? Please advise. > > # nmap -v -sS -O a.b.c.d Are you executing nmap on the same machine you're probing? If so, then I think most of those rules won't apply, since the activity from nmap won't be going through your tx0 interface. You'd have to run nmap from another machine to get a useful result. You could also check the output of: ipfstat -hin (just to make sure the rules are actually loaded) Barry To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message