Date: Sat, 12 Jan 2002 13:26:33 -0200 From: BinarySoul <binary@b1n.org> To: Peter Wolkerstorfer <a9203537@unet.univie.ac.at> Cc: freebsd-questions@freebsd.org Subject: Re: please help on 1(one) ipf rule Message-ID: <20020112132633.E31058@b1n.org> In-Reply-To: <3C187D20.E1901AD5@unet.univie.ac.at>; from a9203537@unet.univie.ac.at on Thu, Dec 13, 2001 at 11:04:16AM %2B0100 References: <3C187D20.E1901AD5@unet.univie.ac.at>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi Peter, i think i've found your mistake. In your first two rules: > block return-rst in log quick on rl1 proto tcp all > block in quick on rl1 all you've blocked everything and its not going further down in your rules table (look ipmon/ipfstat to confirm that), strip out the 'quick' option so, it will only match this rules if it dont match any other. i'm used to write something like: block in all block out all in the top of my firewall script, and then passing just what i need to pass. About the SSH, i've used this so far: pass in quick on $External_Interface proto tcp from $Trusted_Ip to $External_Ip port = 22 flags S/SA keep state BTW, i dont use ipf, i use obsd pf (OpenBSD Packet Filter) Peter Wolkerstorfer (a9203537@unet.univie.ac.at) wrote: > dear listmembers, > > i would need some help on ipf > > problem: > > ipf firewall with ipnat won't allow to login on itself and won't allow > outgoing traffic from itself. > > form the intranet (192.168.0..0/8) to the internet all works as i > wanted. > > my ipf.rules is: > > # i have read this should be better for scans > block return-rst in log quick on rl1 proto tcp all > > # i want to block all the rest with this > block in quick on rl1 all > > # this is my not working try of making a ssh-connection to the firewall > working > pass in quick on rl0 proto tcp/udp from 192.168.0.0/8 to any keep > state > pass out quick on rl0 proto tcp/udp from 192.168.0.0/8 to any keep > state > > #the rest which seems to work > pass out quick on rl1 proto tcp from 192.168.0.0/8 to any keep state > pass out quick on rl1 proto udp from 192.168.0.0/8 to any keep state > pass out quick on rl1 proto icmp from 192.168.0.0/8 to any keep state > > my ipnat.rules is: > > map rl1 192.168.0.0/24 -> 0/32 > > i would now need one ipf rule which at least allows logging in on the > firewall with ssh. it would be better if i could acces the net from the > firewall-console, too. > > THX in advance > peter "wolki" wolkerstorfer > p.s.: please tell me if i should have asked this in freebsd-security > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-questions" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020112132633.E31058>