Date: Fri, 6 Oct 2000 20:48:07 +0200 From: Gerhard Sittig <Gerhard.Sittig@gmx.net> To: freebsd-security@FreeBSD.ORG Subject: Re: Default Deny Message-ID: <20001006204807.M31338@speedy.gsinet> In-Reply-To: <39DCC1CB.5FDD7F90@allmaui.com>; from craig@allmaui.com on Thu, Oct 05, 2000 at 06:00:43PM %2B0000 References: <200010060056.LAA11152@cairo.anu.edu.au> <39DCC1CB.5FDD7F90@allmaui.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, Oct 05, 2000 at 18:00 +0000, Craig Cowen wrote:
>
> [ ... you reminded us of your previous post ... ]
>
> I have setup ipf with options IPFILTER_DEFAULT_BLOCK in my
> kernel. When using ipnat, I have 'pass in on (private
> interface) from 192.168.0.0/24 to any keep state' in my rules.
If this rule is a citation, you should have gotten it rejected by
ipf. As soon as you want to "keep state" you have to specify one
of the tcp / udp / icmp protocols (don't know right now if "from
IP" will work with a specified protocol, either).
If this was off your mind, please make sure you tell us about
your setup correctly, until there nobody could really help.
> I have no rules specified for the public interface.
> The boxen behind the firewall can surf.
If *this* works, I could see a chance for
- ipf not being active at all or
- ipf being absolutely open
Did you build the kernel after setting IPFILTER_DEFAULT_BLOCK (no
kidding here), did you install it, did you boot it? What does
'ipf -V' tell you? What does 'ipfstat -in; ipfstat -on' tell
you? Editing config files is one thing, loading these setting is
another. That's why one always asks the system about its vision
and not the admin about his intension. :)
Have you read the ipf howto? It's very comprehensive and
helpful, even for those not employing ipfilter. It has lots of
basics, too, and should be recommended reading for anyone setting
up a packet filter.
virtually yours 82D1 9B9C 01DC 4FB4 D7B4 61BE 3F49 4F77 72DE DA76
Gerhard Sittig true | mail -s "get gpg key" Gerhard.Sittig@gmx.net
--
If you don't understand or are scared by any of the above
ask your parents or an adult to help you.
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20001006204807.M31338>