Date: Sun, 17 Aug 2003 15:29:42 -0700 From: Mark Woodson <mwoodson@sricrm.com> To: "geek" <geek@netcabo.pt>, <FreeBSD-questions@FreeBSD.org> Subject: Re: [JunkMail] IPF & DHCP request Message-ID: <5.2.1.1.0.20030817143515.01904f90@pop3.sricrm.com> In-Reply-To: <2305CFC39C15AA4896E06E5C91C509EF03743862@VS2.hdi.tvcabo>
next in thread | previous in thread | raw e-mail | index | archive | help
At 09:29 PM 8/17/2003 +0100, geek wrote: >Hey guys, can u please post (who have) rules with DHCP involved?! because, >i'm in troube, my firewall doesnt work because because my ipf.rules doesnt >work and i dont know why!! > >When i put in rules "pass in/out all" i have acess to the internet, >otherwise, with my rules i dont, and i have change them so many times, and >they didnt work anyway, if anyone can help me: > >block in log all >block out log all This should be at the end. It's organizationally easiest if you break it up into by interface. I think is overly restrictive additionally. >pass in quick on lo0 all >pass out quick on lo0 all > >pass in quick on ep0 all >pass out quick on ep0 all > > >#Allow internal traffic to outside world >pass out quick on ep1 proto tcp all keep state >pass out quick on ep1 proto udp all keep stateuic >pass out quick on ep1 proto icmp all keep state > > >#Allow traffic from outside >#DNS >pass in quick on ep1 proto udp from any to any port = 53 keep state this really isn't necessary. You've allowed responses to queries by the pass out on the interface above. >#DHC# [dhclient] >pass in quick on ep1 proto udp from any to any port = 68 keep state keep >fragsP keep frags is really unnecessary. I'd recommend the howto at this address. http://www.schlacter.net/public/FreeBSD-STABLE_and_IPFILTER.html -Mark
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5.2.1.1.0.20030817143515.01904f90>