Date: Fri, 06 Oct 2000 19:40:27 -0700 From: Craig Cowen <craig@allmaui.com> To: Gerhard Sittig <Gerhard.Sittig@gmx.net>, "freebsd-security@FreeBSD.ORG" <freebsd-security@FreeBSD.ORG> Subject: Re: Default Deny Message-ID: <39DE8D1B.923D86DF@allmaui.com> References: <200010060056.LAA11152@cairo.anu.edu.au> <39DCC1CB.5FDD7F90@allmaui.com> <20001006204807.M31338@speedy.gsinet>
next in thread | previous in thread | raw e-mail | index | archive | help
I appreciate your response and your questions. Yes I did compile and install. You sound like me talking to my users at work. ipf -V: ipf: IP Filter: v3.4.8 (264) Kernel: IP Filter: v3.4.8 Running: yes Log Flags: 0 = none set Default: block all, Logging: available Active list: 0 hope fully paronoia hasn't ruined this ipfstat -in @1 pass in on lo0 proto tcp from 127.0.0.1/32 to 127.0.0.1/32 @2 pass in on lo0 proto udp from 127.0.0.1/32 to 127.0.0.1/32 @3 pass in on lo0 proto icmp from 127.0.0.1/32 to 127.0.0.1/32 @4 block in log on xl0 proto tcp from 134.122.0.0/16 to publicinterface/32 #these 3 lines are to keep the guys at work out explicitly @5 block in log on xl0 proto udp from 134.122.0.0/16 to publicinterface/32 @6 block in log on xl0 proto icmp from 134.122.0.0/16 to publicinterface/32 @7 block in log on xl0 proto tcp from any to publicinterface/32 @8 block in log on xl0 proto udp from any to publicinterface/32 @9 block in log on xl0 proto icmp from any to publicinterface/32 @10 pass in on xl0 proto tcp from desktop@work/32 to publicinterface/32 @11 pass in on xl0 proto udp from desktop@work/32 to publicinterface/32 @12 pass in on xl0 proto icmp from desktop@work/32 to publicinterface/32 @13 pass in on dc0 proto tcp from 192.168.1.0/24 to any keep state @14 pass in on dc0 proto udp from 192.168.1.0/24 to any keep state @15 pass in on dc0 proto icmp from 192.168.1.0/24 to any keep state ipfstat -on @1 pass out on lo0 proto tcp from 127.0.0.1/32 to 127.0.0.1/32 @2 pass out on lo0 proto udp from 127.0.0.1/32 to 127.0.0.1/32 @3 pass out on lo0 proto icmp from 127.0.0.1/32 to 127.0.0.1/32 @4 pass out log quick proto tcp from publicinterface/32 to any keep state #This is necassary to allow me to surf out from my firewall box @5 pass out log quick proto udp from publicinterface/32 to any keep state #with these commented out I am still able to surf from inside @6 pass out log quick proto icmp from publicinterface/32 to any keep state @7 pass out on dc0 proto tcp from 192.168.1.0/24 to 192.168.1.0/24 @8 pass out on dc0 proto udp from 192.168.1.0/24 to 192.168.1.0/24 @9 pass out on dc0 proto icmp from 192.168.1.0/24 to 192.168.1.0/24 I use this to reload my settings after changes #!/bin/sh ipf -D ipf -Fa -f /etc/ipf.conf -E ipnat -CF -f /etc/ipnat.conf I have read the howto, that is how I got this far. I was a little shocked when I saw the results of being able to surf Thanks for your help, Craig Gerhard Sittig wrote: > On Thu, Oct 05, 2000 at 18:00 +0000, Craig Cowen wrote: > > > > [ ... you reminded us of your previous post ... ] > > > > I have setup ipf with options IPFILTER_DEFAULT_BLOCK in my > > kernel. When using ipnat, I have 'pass in on (private > > interface) from 192.168.0.0/24 to any keep state' in my rules. > > If this rule is a citation, you should have gotten it rejected by > ipf. As soon as you want to "keep state" you have to specify one > of the tcp / udp / icmp protocols (don't know right now if "from > IP" will work with a specified protocol, either). > > If this was off your mind, please make sure you tell us about > your setup correctly, until there nobody could really help. > > > I have no rules specified for the public interface. > > The boxen behind the firewall can surf. > > If *this* works, I could see a chance for > - ipf not being active at all or > - ipf being absolutely open > > Did you build the kernel after setting IPFILTER_DEFAULT_BLOCK (no > kidding here), did you install it, did you boot it? What does > 'ipf -V' tell you? What does 'ipfstat -in; ipfstat -on' tell > you? Editing config files is one thing, loading these setting is > another. That's why one always asks the system about its vision > and not the admin about his intension. :) > > Have you read the ipf howto? It's very comprehensive and > helpful, even for those not employing ipfilter. It has lots of > basics, too, and should be recommended reading for anyone setting > up a packet filter. > > virtually yours 82D1 9B9C 01DC 4FB4 D7B4 61BE 3F49 4F77 72DE DA76 > Gerhard Sittig true | mail -s "get gpg key" Gerhard.Sittig@gmx.net > -- > If you don't understand or are scared by any of the above > ask your parents or an adult to help you. > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?39DE8D1B.923D86DF>