Date: Wed, 15 Feb 2006 18:12:57 +0200 From: Giorgos Keramidas <keramida@ceid.upatras.gr> To: Erik Norgaard <norgaard@locolomo.org> Cc: fbsd_user@a1poweruser.com, Maxim Vetrov <muxas@mail.ru>, chris@i13i.com, freebsd-questions@freebsd.org Subject: Re: IPFILTER rule error Message-ID: <20060215161257.GC23414@flame.pc> Resent-Message-ID: <20060215162307.GA23575@flame.pc> In-Reply-To: <43F34782.60300@locolomo.org> References: <MIEPLLIBMLEEABPDBIEGGEDJHNAA.fbsd_user@a1poweruser.com> <43F3B343.5070802@mail.ru> <43F34782.60300@locolomo.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On 2006-02-15 16:23, Erik Norgaard <norgaard@locolomo.org> wrote:
> Maxim Vetrov wrote:
> >################################################################################
> ># Internal interface #1 - rl0 (10.0.1.0/29)
> >#
> >################################################################################
> >
> >#%%%%%%%%%%%%%%%%% Block-and-log everything that is not allowed explicitly
> >%%%%%
> >block in log on rl0 all head 20
> >block out log on rl0 all head 25
> >#%%%%%%%%%%%%%%%%% Allow Sun RPC incoming calls
> >%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
> >pass in quick on rl0 \
> > proto tcp/udp from any to any port = sunrpc keep state group 20
> >pass in quick on rl0 \
> > proto tcp/udp from any to any port = 717 keep state group 20
> ># the next line raise the error when uncommented
> >#pass out quick on rl0 \
> ># proto udp from any to any port = 111 keep state group 20
>
> I think someone else already pointed at this: You try to add a rule for
> outbound traffic to the inbound group in the offending line. Try correct
> to group 25.
That's true. I did post the relevant message:
Date: Tue, 14 Feb 2006 17:13:33 +0200
From: Giorgos Keramidas <keramida@ceid.upatras.gr>
Subject: Re: IPFILTER rule error
To: Maxim Vetrov <muxas@mail.ru>
Cc: norgaard@locolomo.org, chris@i13i.com
[...]
Note that you have only set up a group numbered '25' for outgoing
traffic, but then attempt to add a rule to an outgoing group of '20'.
This is the cause of the error you're seeing.
This ruleset should work fine:
# block in log on rl0 all head 20
# block out log on rl0 all head 25
#
# pass in quick on rl0 \
# proto tcp/udp from any to any port = sunrpc keep state group 20
# pass in quick on rl0 \
# proto tcp/udp from any to any port = 717 keep state group 20
# pass out quick on rl0 \
# proto udp from any to any port = 111 keep state group 25
[...]
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20060215161257.GC23414>