Date: Tue, 9 Apr 2002 17:24:17 -0400 From: Donnie Jones <donniejones18@yahoo.com> To: "Somphol B." <somphol@gits.net.th> Cc: freebsd-questions@freebsd.org Subject: Re: IPFILTER Message-ID: <20020409172417.08ae3465.donniejones18@yahoo.com> In-Reply-To: <011c01c1e00b$625b57a0$cc9a96cb@ple> References: <011c01c1e00b$625b57a0$cc9a96cb@ple>
next in thread | previous in thread | raw e-mail | index | archive | help
Go to http://www.darthik.com, there is a IP NAT howto there under FreeBSD. It has example ipf.rules, ipnat.rules, and ipfw.rules. I think you'll find it very helpful. Also, if I were you I would separate your ipf configuration by device. Have the beginning be only about fxp0 and then the next section only concerning fxp1, that way it isn't all jumbled. Kinda confusing for me to look at... Just a suggestoin. Good luck, -Donnie http://www.darthik.com On Wed, 10 Apr 2002 04:13:22 +0700 "Somphol B." <somphol@gits.net.th> wrote: > I am running FreeBSD 4.5-Release on a machine with 2 NICs. I have setup the IPFILTER (to protect the host) with the following rules. It is fine for a few hours or sometimes a few days, then my machine was misteriously frozen. I could ping, but couldn't ssh to the host. Logging in to the host, I couldn't even do nslookup. BTW, when the machine froze, the log does show that packets were blocked heavily. > > Am I missing something obvious here? > > #Tto reread the fule > # /sbin/ipf -Fa -f /etc/ipf.rules > # > pass in quick on lo0 > pass out quick on lo0 > > #### allow pass out > pass out quick proto tcp all keep state > pass out quick proto udp all keep state > pass out quick proto icmp all keep state > > #### OK allow HTTP (web) > pass in quick on fxp0 proto tcp from any to x.x.x.x/26 port = 80 keep state > pass in quick on fxp1 proto tcp from any to x.x.x.x/25 port = 80 keep state > > # allow icmp echo request > pass in quick on fxp0 proto icmp from any to any icmp-type 8 keep state > pass in quick on fxp1 proto icmp from any to any icmp-type 8 keep state > # allow icmp echo reply > pass in quick on fxp0 proto icmp from any to any icmp-type 0 keep state > pass in quick on fxp1 proto icmp from any to any icmp-type 0 keep state > # allow various icmp codes > pass in quick on fxp0 proto icmp from any to any icmp-type 3 keep state > pass in quick on fxp1 proto icmp from any to any icmp-type 3 keep state > # allow time-exceeded > pass in quick on fxp0 proto icmp from any to any icmp-type 11 keep state > pass in quick on fxp1 proto icmp from any to any icmp-type 11 keep state > > ### OK allow SSH > pass in quick on fxp0 proto tcp from any to x.x.x.x/26 port = 22 keep state > pass in quick on fxp1 proto tcp from any to x.x.x.x/25 port = 22 keep state > > ### OK allow SMTP > pass in quick on fxp0 proto tcp from any to x.x.x.x/26 port = 25 keep state > pass in quick on fxp1 proto tcp from any to x.x.x.x/25 port = 25 keep state > > ### OK allow IMAP > pass in quick on fxp0 proto tcp from any to x.x.x.x/26 port = 143 keep state > pass in quick on fxp1 proto tcp from any to x.x.x.x/25 port = 143 keep state > > ### OK allow POP3 > pass in quick on fxp0 proto tcp from any to x.x.x.x/26 port = 110 keep state > pass in quick on fxp1 proto tcp from any to x.x.x.x/25 port = 110 keep state > > ### OK allow IMAPSSL > pass in quick on fxp0 proto tcp from any to x.x.x.x/26 port = 993 keep state > pass in quick on fxp1 proto tcp from any to x.x.x.x/25 port = 993 keep state > ### OK allow POPSSL > pass in quick on fxp0 proto tcp from any to x.x.x.x/26 port = 995 keep state > pass in quick on fxp1 proto tcp from any to x.x.x.x/25 port = 995 keep state > > ### OK allow active FTP > pass in quick on fxp0 proto tcp from x.x.x.x/25 to x.x.x.x/26 port = 21 keep state > pass in quick on fxp1 proto tcp from x.x.x.x/25 to x.x.x.x/25 port = 21 keep state > pass in quick on fxp0 proto tcp from x.x.x.x/26 to x.x.x.x/26 port = 21 keep state > pass in quick on fxp1 proto tcp from x.x.x.x/26 to x.x.x.x/25 port = 21 keep state > > ### allow passive FTP (see -U for man ftpd) > ### allow port 1024 - 4999 for passive FTP > pass in quick on fxp0 proto tcp from x.x.x.x/25 to x.x.x.x/26 port 1024 >< 4999 keep state > ### allow passive FTP (see -U for man ftpd) > ### allow port 1024 - 4999 for passive FTP > pass in quick on fxp0 proto tcp from x.x.x.x/25 to x.x.x.x/26 port 1024 >< 4999 keep state > pass in quick on fxp1 proto tcp from x.x.x.x/25 to x.x.x.x/25 port 1024 >< 4999 keep state > pass in quick on fxp0 proto tcp from x.x.x.x/26 to x.x.x.x/26 port 1024 >< 4999 keep state > pass in quick on fxp1 proto tcp from x.x.x.x/26 to x.x.x.x/25 port 1024 >< 4999 keep state > > block in log quick proto tcp from any to any > block in log quick all > > Somphol. > > _________________________________________________________ Do You Yahoo!? Get your free @yahoo.com address at http://mail.yahoo.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020409172417.08ae3465.donniejones18>