Date: Wed, 10 Apr 2002 04:13:22 +0700 From: "Somphol B." <somphol@gits.net.th> To: <freebsd-questions@freebsd.org> Subject: IPFILTER Message-ID: <011c01c1e00b$625b57a0$cc9a96cb@ple>
next in thread | raw e-mail | index | archive | help
This is a multi-part message in MIME format. ------=_NextPart_000_0119_01C1E046.0D6A7E20 Content-Type: text/plain; charset="windows-874" Content-Transfer-Encoding: quoted-printable I am running FreeBSD 4.5-Release on a machine with 2 NICs. I have setup = the IPFILTER (to protect the host) with the following rules. It is = fine for a few hours or sometimes a few days, then my machine was = misteriously frozen. I could ping, but couldn't ssh to the host. = Logging in to the host, I couldn't even do nslookup. BTW, when the = machine froze, the log does show that packets were blocked heavily. Am I missing something obvious here? =20 #Tto reread the fule # /sbin/ipf -Fa -f /etc/ipf.rules # pass in quick on lo0 pass out quick on lo0 #### allow pass out pass out quick proto tcp all keep state pass out quick proto udp all keep state pass out quick proto icmp all keep state #### OK allow HTTP (web) pass in quick on fxp0 proto tcp from any to x.x.x.x/26 port =3D 80 keep = state pass in quick on fxp1 proto tcp from any to x.x.x.x/25 port =3D 80 keep = state # allow icmp echo request pass in quick on fxp0 proto icmp from any to any icmp-type 8 keep state pass in quick on fxp1 proto icmp from any to any icmp-type 8 keep state # allow icmp echo reply pass in quick on fxp0 proto icmp from any to any icmp-type 0 keep state pass in quick on fxp1 proto icmp from any to any icmp-type 0 keep state # allow various icmp codes pass in quick on fxp0 proto icmp from any to any icmp-type 3 keep state pass in quick on fxp1 proto icmp from any to any icmp-type 3 keep state # allow time-exceeded pass in quick on fxp0 proto icmp from any to any icmp-type 11 keep state pass in quick on fxp1 proto icmp from any to any icmp-type 11 keep state ### OK allow SSH pass in quick on fxp0 proto tcp from any to x.x.x.x/26 port =3D 22 keep = state pass in quick on fxp1 proto tcp from any to x.x.x.x/25 port =3D 22 keep = state ### OK allow SMTP pass in quick on fxp0 proto tcp from any to x.x.x.x/26 port =3D 25 keep = state pass in quick on fxp1 proto tcp from any to x.x.x.x/25 port =3D 25 keep = state ### OK allow IMAP pass in quick on fxp0 proto tcp from any to x.x.x.x/26 port =3D 143 keep = state pass in quick on fxp1 proto tcp from any to x.x.x.x/25 port =3D 143 keep = state ### OK allow POP3 pass in quick on fxp0 proto tcp from any to x.x.x.x/26 port =3D 110 keep = state pass in quick on fxp1 proto tcp from any to x.x.x.x/25 port =3D 110 keep = state ### OK allow IMAPSSL pass in quick on fxp0 proto tcp from any to x.x.x.x/26 port =3D 993 keep = state pass in quick on fxp1 proto tcp from any to x.x.x.x/25 port =3D 993 keep = state ### OK allow POPSSL pass in quick on fxp0 proto tcp from any to x.x.x.x/26 port =3D 995 keep = state pass in quick on fxp1 proto tcp from any to x.x.x.x/25 port =3D 995 keep = state ### OK allow active FTP pass in quick on fxp0 proto tcp from x.x.x.x/25 to x.x.x.x/26 port =3D = 21 keep state pass in quick on fxp1 proto tcp from x.x.x.x/25 to x.x.x.x/25 port =3D = 21 keep state pass in quick on fxp0 proto tcp from x.x.x.x/26 to x.x.x.x/26 port =3D = 21 keep state pass in quick on fxp1 proto tcp from x.x.x.x/26 to x.x.x.x/25 port =3D = 21 keep state ### allow passive FTP (see -U for man ftpd) ### allow port 1024 - 4999 for passive FTP pass in quick on fxp0 proto tcp from x.x.x.x/25 to x.x.x.x/26 port 1024 = >< 4999 keep state ### allow passive FTP (see -U for man ftpd) ### allow port 1024 - 4999 for passive FTP pass in quick on fxp0 proto tcp from x.x.x.x/25 to x.x.x.x/26 port 1024 = >< 4999 keep state pass in quick on fxp1 proto tcp from x.x.x.x/25 to x.x.x.x/25 port 1024 = >< 4999 keep state pass in quick on fxp0 proto tcp from x.x.x.x/26 to x.x.x.x/26 port 1024 = >< 4999 keep state pass in quick on fxp1 proto tcp from x.x.x.x/26 to x.x.x.x/25 port 1024 = >< 4999 keep state block in log quick proto tcp from any to any block in log quick all Somphol. ------=_NextPart_000_0119_01C1E046.0D6A7E20 Content-Type: text/html; charset="windows-874" Content-Transfer-Encoding: quoted-printable <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML><HEAD> <META http-equiv=3DContent-Type content=3D"text/html; = charset=3Dwindows-874"> <META content=3D"MSHTML 5.50.4207.2601" name=3DGENERATOR> <STYLE></STYLE> </HEAD> <BODY bgColor=3D#d8d0c8> <DIV><FONT face=3DArial size=3D2>I am running FreeBSD 4.5-Release = on a machine=20 with 2 NICs. I have setup the IPFILTER (to protect the host) with = the=20 following rules. It is fine for a few hours or sometimes a = few days,=20 then my machine was misteriously frozen. I could ping, but = couldn't=20 ssh to the host. Logging in to the host, I couldn't even do=20 nslookup. BTW, when the machine froze, the log does show that = packets were=20 blocked heavily.</FONT></DIV> <DIV><FONT face=3DArial size=3D2></FONT> </DIV> <DIV><FONT face=3DArial size=3D2>Am I missing something obvious = here?</FONT></DIV> <DIV><FONT face=3DArial size=3D2> </FONT></DIV> <DIV><FONT face=3DArial size=3D2>#Tto reread the fule<BR># /sbin/ipf -Fa = -f=20 /etc/ipf.rules<BR>#<BR>pass in quick on lo0<BR>pass out quick on=20 lo0</FONT></DIV> <DIV><FONT face=3DArial size=3D2></FONT> </DIV> <DIV><FONT face=3DArial size=3D2>#### allow pass out<BR>pass out quick = proto tcp all=20 keep state<BR>pass out quick proto udp all keep state<BR>pass out quick = proto=20 icmp all keep state</FONT></DIV> <DIV><FONT face=3DArial size=3D2></FONT> </DIV> <DIV><FONT face=3DArial size=3D2>#### OK allow HTTP (web)<BR>pass in = quick on fxp0=20 proto tcp from any to x.x.x.x/26 port =3D 80 keep state<BR>pass in quick = on fxp1=20 proto tcp from any to x.x.x.x/25 port =3D 80 keep state</FONT></DIV> <DIV><FONT face=3DArial size=3D2></FONT> </DIV> <DIV><FONT face=3DArial size=3D2># allow icmp echo request<BR>pass in = quick on fxp0=20 proto icmp from any to any icmp-type 8 keep state<BR>pass in quick on = fxp1 proto=20 icmp from any to any icmp-type 8 keep state<BR># allow icmp echo = reply<BR>pass=20 in quick on fxp0 proto icmp from any to any icmp-type 0 keep = state<BR>pass in=20 quick on fxp1 proto icmp from any to any icmp-type 0 keep state<BR># = allow=20 various icmp codes<BR>pass in quick on fxp0 proto icmp from any to any = icmp-type=20 3 keep state<BR>pass in quick on fxp1 proto icmp from any to any = icmp-type 3=20 keep state<BR># allow time-exceeded<BR>pass in quick on fxp0 proto icmp = from any=20 to any icmp-type 11 keep state<BR>pass in quick on fxp1 proto icmp from = any to=20 any icmp-type 11 keep state</FONT></DIV> <DIV><FONT face=3DArial size=3D2></FONT> </DIV> <DIV><FONT face=3DArial size=3D2>### OK allow SSH<BR>pass in quick on = fxp0 proto tcp=20 from any to x.x.x.x/26 port =3D 22 keep state<BR>pass in quick on fxp1 = proto tcp=20 from any to x.x.x.x/25 port =3D 22 keep state</FONT></DIV> <DIV><FONT face=3DArial size=3D2></FONT> </DIV> <DIV><FONT face=3DArial size=3D2>### OK allow SMTP<BR>pass in quick on = fxp0 proto=20 tcp from any to x.x.x.x/26 port =3D 25 keep state<BR>pass in quick on = fxp1 proto=20 tcp from any to x.x.x.x/25 port =3D 25 keep state</FONT></DIV> <DIV><FONT face=3DArial size=3D2></FONT> </DIV> <DIV><FONT face=3DArial size=3D2>### OK allow IMAP<BR>pass in quick on = fxp0 proto=20 tcp from any to x.x.x.x/26 port =3D 143 keep state<BR>pass in quick on = fxp1 proto=20 tcp from any to x.x.x.x/25 port =3D 143 keep state</FONT></DIV> <DIV><FONT face=3DArial size=3D2></FONT> </DIV> <DIV><FONT face=3DArial size=3D2>### OK allow POP3<BR>pass in quick on = fxp0 proto=20 tcp from any to x.x.x.x/26 port =3D 110 keep state<BR>pass in quick on = fxp1 proto=20 tcp from any to x.x.x.x/25 port =3D 110 keep state</FONT></DIV> <DIV><FONT face=3DArial size=3D2></FONT> </DIV> <DIV><FONT face=3DArial size=3D2>### OK allow IMAPSSL<BR>pass in quick = on fxp0 proto=20 tcp from any to x.x.x.x/26 port =3D 993 keep state<BR>pass in quick on = fxp1 proto=20 tcp from any to x.x.x.x/25 port =3D 993 keep state<BR>### OK allow = POPSSL<BR>pass=20 in quick on fxp0 proto tcp from any to x.x.x.x/26 port =3D 995 keep = state<BR>pass=20 in quick on fxp1 proto tcp from any to x.x.x.x/25 port =3D 995 keep=20 state</FONT></DIV> <DIV><FONT face=3DArial size=3D2></FONT> </DIV> <DIV><FONT face=3DArial size=3D2>### OK allow active FTP<BR>pass in = quick on fxp0=20 proto tcp from x.x.x.x/25 to x.x.x.x/26 port =3D 21 keep state<BR>pass = in quick on=20 fxp1 proto tcp from x.x.x.x/25 to x.x.x.x/25 port =3D 21 keep = state<BR>pass in=20 quick on fxp0 proto tcp from x.x.x.x/26 to x.x.x.x/26 port =3D 21 keep=20 state<BR>pass in quick on fxp1 proto tcp from x.x.x.x/26 to x.x.x.x/25 = port =3D 21=20 keep state</FONT></DIV> <DIV><FONT face=3DArial size=3D2></FONT> </DIV> <DIV><FONT face=3DArial size=3D2>### allow passive FTP (see -U for man = ftpd)<BR>###=20 allow port 1024 - 4999 for passive FTP<BR>pass in quick on fxp0 proto = tcp from=20 x.x.x.x/25 to x.x.x.x/26 port 1024 >< 4999 keep state<BR>### allow = passive=20 FTP (see -U for man ftpd)<BR>### allow port 1024 - 4999 for passive = FTP<BR>pass=20 in quick on fxp0 proto tcp from x.x.x.x/25 to x.x.x.x/26 port 1024 = >< 4999=20 keep state<BR>pass in quick on fxp1 proto tcp from x.x.x.x/25 to = x.x.x.x/25 port=20 1024 >< 4999 keep state<BR>pass in quick on fxp0 proto tcp from = x.x.x.x/26=20 to x.x.x.x/26 port 1024 >< 4999 keep state<BR>pass in quick on = fxp1 proto=20 tcp from x.x.x.x/26 to x.x.x.x/25 port 1024 >< 4999 keep=20 state</FONT></DIV> <DIV><FONT face=3DArial size=3D2></FONT> </DIV> <DIV><FONT face=3DArial size=3D2>block in log quick proto tcp from any = to=20 any<BR>block in log quick all<BR></FONT></DIV> <DIV><FONT face=3DArial size=3D2>Somphol.</DIV></FONT> <DIV><FONT face=3DArial size=3D2></FONT> </DIV></BODY></HTML> ------=_NextPart_000_0119_01C1E046.0D6A7E20-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?011c01c1e00b$625b57a0$cc9a96cb>