Date: Wed, 2 Jun 2004 23:39:50 +0300 From: Giorgos Keramidas <keramida@ceid.upatras.gr> To: Randy Babb <randy@insipidity.co.uk> Cc: freebsd-questions@freebsd.org Subject: Re: IPFILTER Rules Message-ID: <20040602203950.GB4054@gothmog.gr> In-Reply-To: <20040602203750.GA4054@gothmog.gr> References: <1086188875.5101.29.camel@localhost> <20040602203750.GA4054@gothmog.gr>
next in thread | previous in thread | raw e-mail | index | archive | help
On 2004-06-02 15:12, Randy Babb <randy@insipidity.co.uk> wrote:
> Hi,
> I'm just learning how to use IPFilter and I'm having some trouble. I
> hope someone can help me. I have a server running on my LAN I'm trying
> to set up some rules on, they are basically the same as the ones in
> Absolute BSD by Michael Lucas. The server is running two instances of
> Apache (on port 80 and 81, the latter should only be accessible from my
> machine through the LAN), a POP3 server, the SSH daemon, an FTP server
> and a proxy server (Squid).
>
> When I use these rules all my connections to the server are really slow,
> except to both instances of Apache for some reason - those are normal.
> For instance, a connection to the POP3 server would usually be
> established almost instantly, but now it takes around 80 seconds. If I
> just use the rules "pass in all" and "pass out all" it works fine, so it
> is definitely a problem with my rules.
The delay seems suspiciously like a DNS timeout. Since you haven't
mentioned any rules to explicitly allow DNS traffic below, I assume you
don't have any. Just add the following rules before your groups:
pass out quick proto udp from any to any keep state
block return-icmp-as-dest(port-unr) in log proto udp from any to any
A good place to add these would be right after your lo0 rules.
> Here are the rules:
>
> block in log quick from any to any with ipopts
> block in log quick proto tcp from any to any with short
>
> pass in quick on lo0 all
> pass out quick on lo0 all
Here...
> pass out on rl0 all head 100
> block out from 127.0.0.0/8 to any group 100
> block out from any to 127.0.0.0/8 group 100
> block out from any to 192.168.1.30 group 100
>
> block in on rl0 all head 200
>
> block in from 127.0.0.0/8 to any group 200
> block in from 192.168.1.30 to any group 200
>
> pass in quick proto tcp from any to any port = www keep state group 200
> pass in quick proto tcp from any to any port = pop3 keep state group 200
> pass in quick proto tcp from any to any port = ssh keep state group 200
> pass in quick proto tcp from any to any port = ftp keep state group 200
> pass in quick proto tcp from any to any port = 8080 keep state group 200
> pass in quick proto tcp from 192.168.1.40 to any port = 81 keep state group 200
>
> block return-rst in log proto tcp from any to any flags S/SA group 200
> block return-icmp(net-unr) in proto udp all group 200
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040602203950.GB4054>