Date: Tue, 20 Sep 2005 00:52:21 +0200 From: jonas <jonas.de.buhr@gmx.net> To: freebsd-questions@freebsd.org Subject: Re: problem with IPF rules - (problem solved but i'm still confused) Message-ID: <20050920005221.33554ee6@localhost> In-Reply-To: <432F2B89.9000305@locolomo.org> References: <20050919172642.45408cf9@localhost> <432EDE1D.2050107@locolomo.org> <20050919192954.6ac0e9a9@localhost> <20050919193553.25dd0afd@localhost> <432F2B89.9000305@locolomo.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, 19 Sep 2005 23:20:09 +0200 Erik N=F8rgaard <norgaard@locolomo.org> wrote: > jonas wrote: > > adding a 'keep state' to the 'pass in'-rules solved this problem. > > but i still do not understand why it didn't work before, because > > outgoing traffic was allowed with > > "pass out quick on ng0 from any to any keep state" > > i'ld really prefer to know what's going on there :) > >=20 > > any ideas? >=20 > It would help if you would post your ruleset and not the readout, > it's easier to read. Secondly, it is posible to compile ipf with > default block - post the default action also. >=20 > Cheers, Erik /etc/ipf.rules: ### ng0 # allow anything out to the internet pass out quick on ng0 from any to any keep state # allow http, https, ssh pass in log quick on ng0 proto tcp from any to 128.176.0.0/16 port =3D 80 keep state pass in log quick on ng0 proto tcp from any to 128.176.0.0/16 port =3D 443 keep state pass in log quick on ng0 proto tcp from any to 128.176.0.0/16 port =3D 22 keep state pass in log quick on ng0 proto udp from any to 128.176.0.0/16 port =3D 22 keep state # outgoing bittorrent data pass in quick on ng0 proto tcp from any to 128.176.0.0/16 port =3D 55555 # block anything else block in quick on ng0 proto tcp from any to any port =3D 111 block in quick on ng0 all ### rl1 # allow pptp-dialout pass out quick on rl1 from any to 172.16.0.1 keep state # allow GRE-traffic pass in quick on rl1 from 172.16.0.1 to 172.16.0.0/16 # block anything else block in quick on rl1 all block out quick on rl1 all IPF is still compiled with default accept (like said in the orig. post) i didn't have time to recompile it yet and i didn't think this made sense if too much got blocked anyway ;) with this config everything works as i want. but why do i need the 'keep state' to make the webserver accessible? cya, jonas
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20050920005221.33554ee6>