From owner-freebsd-security Fri Oct 6 19:15:36 2000 Delivered-To: freebsd-security@freebsd.org Received: from mail.gmx.net (pop.gmx.net [194.221.183.20]) by hub.freebsd.org (Postfix) with SMTP id F20E737B503 for ; Fri, 6 Oct 2000 19:15:33 -0700 (PDT) Received: (qmail 12242 invoked by uid 0); 7 Oct 2000 02:15:31 -0000 Received: from p3ee2162b.dip.t-dialin.net (HELO speedy.gsinet) (62.226.22.43) by mail.gmx.net with SMTP; 7 Oct 2000 02:15:31 -0000 Received: (from sittig@localhost) by speedy.gsinet (8.8.8/8.8.8) id UAA11008 for freebsd-security@FreeBSD.ORG; Fri, 6 Oct 2000 20:48:08 +0200 Date: Fri, 6 Oct 2000 20:48:07 +0200 From: Gerhard Sittig To: freebsd-security@FreeBSD.ORG Subject: Re: Default Deny Message-ID: <20001006204807.M31338@speedy.gsinet> Mail-Followup-To: freebsd-security@FreeBSD.ORG References: <200010060056.LAA11152@cairo.anu.edu.au> <39DCC1CB.5FDD7F90@allmaui.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: <39DCC1CB.5FDD7F90@allmaui.com>; from craig@allmaui.com on Thu, Oct 05, 2000 at 06:00:43PM +0000 Organization: System Defenestrators Inc. Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, Oct 05, 2000 at 18:00 +0000, Craig Cowen wrote: > > [ ... you reminded us of your previous post ... ] > > I have setup ipf with options IPFILTER_DEFAULT_BLOCK in my > kernel. When using ipnat, I have 'pass in on (private > interface) from 192.168.0.0/24 to any keep state' in my rules. If this rule is a citation, you should have gotten it rejected by ipf. As soon as you want to "keep state" you have to specify one of the tcp / udp / icmp protocols (don't know right now if "from IP" will work with a specified protocol, either). If this was off your mind, please make sure you tell us about your setup correctly, until there nobody could really help. > I have no rules specified for the public interface. > The boxen behind the firewall can surf. If *this* works, I could see a chance for - ipf not being active at all or - ipf being absolutely open Did you build the kernel after setting IPFILTER_DEFAULT_BLOCK (no kidding here), did you install it, did you boot it? What does 'ipf -V' tell you? What does 'ipfstat -in; ipfstat -on' tell you? Editing config files is one thing, loading these setting is another. That's why one always asks the system about its vision and not the admin about his intension. :) Have you read the ipf howto? It's very comprehensive and helpful, even for those not employing ipfilter. It has lots of basics, too, and should be recommended reading for anyone setting up a packet filter. virtually yours 82D1 9B9C 01DC 4FB4 D7B4 61BE 3F49 4F77 72DE DA76 Gerhard Sittig true | mail -s "get gpg key" Gerhard.Sittig@gmx.net -- If you don't understand or are scared by any of the above ask your parents or an adult to help you. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message