From owner-freebsd-questions@FreeBSD.ORG Thu Mar 1 13:53:24 2007 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 1F8E316A402 for ; Thu, 1 Mar 2007 13:53:24 +0000 (UTC) (envelope-from don.munyak@gmail.com) Received: from an-out-0708.google.com (an-out-0708.google.com [209.85.132.251]) by mx1.freebsd.org (Postfix) with ESMTP id DB39A13C474 for ; Thu, 1 Mar 2007 13:53:23 +0000 (UTC) (envelope-from don.munyak@gmail.com) Received: by an-out-0708.google.com with SMTP id c24so370447ana for ; Thu, 01 Mar 2007 05:53:22 -0800 (PST) DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; b=FUNvGWNRBeRCXHPHeSH/0lkilNuipmuC8GVrvfDpSDQknZSZAcqgx6h4tRa/inXRe3GONF1kp/ZwcFrA0mF24aj5y0hLR3yyByGaqj6ZJll/k2yRsydrVdZHu2avsThd5HIj6UsFHs1GwNQ/BkkdGqUzlZAu8PXUyWJVkEcCe4c= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; b=AFKNjG0C0Vh0gk7LTJWBUwOpxmIj9DoQVBgLRoj/VcphCSmVMQUql4Pa8G4XoelkRVLOPYMVLvcTKhZa++vqQGcf8fbeODVedF6fGV8nTLWZD/CWTFkt0ojSqP04Y/6MNXcfU8QRt1MnjmmBwHUliBbEq9kj+PC6opvgSoI4BPw= Received: by 10.114.75.1 with SMTP id x1mr570645waa.1172757191386; Thu, 01 Mar 2007 05:53:11 -0800 (PST) Received: by 10.115.91.12 with HTTP; Thu, 1 Mar 2007 05:53:11 -0800 (PST) Message-ID: <6207f7d90703010553t745460aap9cdc3f8a03ffaf69@mail.gmail.com> Date: Thu, 1 Mar 2007 08:53:11 -0500 From: "Don Munyak" To: "FreeBSD Questions" MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline Subject: IPF (ftp - pkg_add) help requested X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 01 Mar 2007 13:53:24 -0000 I am building a FreeBSD box to function as a FAMP server (LAMP) and hopefully replace our existing mail server. I am having an issue with IPF that I can't seem to figure out. *** When IPF is enabled, I can't run # pkg_add -r . {...snip from local console..} p0069# pkg_add -rv bash looking up ftp.freebsd.org connecting to ftp.freebsd.org:21 setting passive mode opening data connection Error: FTP Unable to get ftp://ftp.freebsd.org/pub/FreeBSD/ports/i386/packages-6.1-release/Latest/bash.tbz: Network is unreachable pkg_add: unable to fetch 'ftp://ftp.freebsd.org/pub/FreeBSD/ports/i386/packages-6.1-release/Latest/bash.tbz' by URL pkg_add: 1 package addition's) failed {...end-snip..} *** When I disable ipf -D, all works fine. IPF was compiled in the kernel when I did a buildworld. p0069# uname -a FreeBSD p0069.bm.local 6.1-RELEASE-p12 FreeBSD 6.1-RELEASE-p12 #0: Thu Feb 8 13:55:26 EST 2007 don@p0069.bm.local:/usr/obj/usr/src/sys/WEBSERVER i386 p0069# When I issue ipfstat -ho, after pkg_add -r, the following lines increment - pass out quick on em0 proto tcp from any to any port = 21 flags S keep state - pass out quick on em0 proto udp from any to any port = 53 keep state - block out log first quick on em0 all # ---------- # /etc/ipf.rules # logged to /var/log/firewall.log # 02/28/2007 # ---------- # ------------------ # EGRESS filtering # ------------------ # No restriction on Loopback Adapter pass in quick on lo0 all pass out quick on lo0 all # DHCP Bootp # pass out quick on em0 proto udp from any to any port = 67 keep state # pass out quick on em0 proto udp from any to any port = 68 keep state # ICMP pass out quick on em0 proto icmp from any to any keep state # Allow out http pass out quick on em0 proto tcp from any to any port = 80 flags S keep state pass out quick on em0 proto tcp from any to any port = 443 flags S keep state # Allow ftp out pass out quick on em0 proto tcp from any to any port = 20 flags S keep state pass out quick on em0 proto tcp from any to any port = 21 flags S keep state # Allow mail out pass out quick on em0 proto tcp from any to any port = 110 flags S keep state pass out quick on em0 proto tcp from any to any port = 143 flags S keep state pass out quick on em0 proto tcp from any to any port = 25 flags S keep state # Allow SSH Out pass out quick on em0 proto tcp from any to any port = 22 flags S keep state # Allow DNS pass out quick on em0 proto udp from any to any port = 53 keep state pass out quick on em0 proto tcp from any to any port = 53 flags S keep state # Allow CVSUP pass out quick on em0 proto tcp from any to any port = 5999 flags S keep state # Keeping time pass out quick on em0 proto tcp from any to any port = 37 flags S keep state pass out quick on em0 proto tcp from any to any port = 123 flags S keep state # Allow whois pass out quick on em0 proto tcp from any to any port = 43 flags S keep state # Razor & Spamassasin # more later # Block and Log the first occurance of everything else block out log first quick on em0 all # ------------------------- # INGRESS Filtering # ------------------------ # Block all inbound traffic from non-routable or reserved networks # block in quick on em0 from 192.168.0.0/16 to any block in quick on em0 from 172.16.0.0/12 to any block in quick on em0 from 10.0.0.0/8 to any block in quick on em0 from 127.0.0.0/8 to any block in quick on em0 from 0.0.0.0/8 to any block in quick on em0 from 169.254.0.0/16 to any # block in quick on em0 from 192.0.2.0/24 to any block in quick on em0 from 204.153.64.0/23 to any block in quick on em0 from 224.0.0.0/3 to any # Block in Nasties # stuff I don't want logged block in quick on em0 proto icmp all icmp-type 8 block in quick on em0 all with frags block in quick on em0 all with ipopts block in quick on em0 all with short # block return-rst in quick on em0 proto tcp all flags FUP # block return-rst in quick on em0 proto tcp from any to any # block return-icmp-as-digest(port-unr) in quick on em0 proto udp from any to any # Block all Netbios server. 137=name, 138=datagram, 139=session block in log first quick on em0 proto tcp/udp from any to any port = 137 block in log first quick on em0 proto tcp/udp from any to any port = 138 block in log first quick on em0 proto tcp/udp from any to any port = 139 block in log first quick on em0 proto tcp/udp from any to any port = 81 # Allow in http/https pass in quick on em0 proto tcp from any to any port = 80 flags S keep state pass in quick on em0 proto tcp from any to any port = 443 flags S keep state # allow incoming SSH pass in quick on em0 proto tcp from any to any port = 22 flags S keep state # SMTP/POP/IMAP pass in quick on em0 proto tcp from any to any port = 25 flags S keep state pass in quick on em0 proto tcp from any to any port = 110 flags S keep state pass in quick on em0 proto tcp from any to any port = 143 flags S keep state # Anit-Virus # more later # All the rest block in log first quick on em0 all # --------- EOF ------------ TIA,