Date: Thu, 13 Dec 2001 17:48:00 +0100 (CET) From: =?iso-8859-1?q?Fabrizio=20Ravazzini?= <freefabri@yahoo.it> To: john@day-light.com Cc: freebsd-isp@freebsd.org Subject: RE: Ipf & Bridging ??? Message-ID: <20011213164800.67963.qmail@web20102.mail.yahoo.com> In-Reply-To: <000501c183f2$4c5ef3a0$1505010a@daylight.net>
next in thread | previous in thread | raw e-mail | index | archive | help
hello thanks for the help, ipf is installed in the kernel i compiled, options IPFILTER options IPFILTER_LOG There's also the ipfiletr_enable="YES" in my rc.conf in /etc/ipf.rules: pass in all pass out all block in quick on rl0 from any to any then if I digit: ipf -Fa -f /path/to/rules/ipf.rules -E I have the output: IP Filter:already initialized IP Filter:already initialized But there is still the problem, can you help me? --- John Brooks <john@day-light.com> ha scritto: > Did you reload the ruleset and flush out the old > rules? the default > setting is to pass all. > > ipf -Fa -f /path/to/rules/ipf.rules -E > > Another thing to check would be if you enabled ipf > with a kernel > recompile, it's not turned on in the default kernel. > > Then check if you enabled ipf in /etc/rc.conf? > > ipfilter_enable="YES" > > Also remember that in ipf the LAST matching rule > wins, so if your > blocking rule is at the end of the ruleset and you > have a pass rule with > the "quick" keyword before it that matches the > packet will never reach > the blocking rule. > > HTH > > -- > John Brooks > Email: john@stlbsd.org > > > > -----Original Message----- > From: owner-freebsd-isp@FreeBSD.ORG > [mailto:owner-freebsd-isp@FreeBSD.ORG]On Behalf Of > Fabrizio Ravazzini > Sent: Thursday, December 13, 2001 10:07 AM > To: freebsd-isp@freebsd.org > Subject: Ipf & Bridging ??? > > > Hello all I've done a bridge between Internet and my > DMZ: > Internet > | > | > Cisco Router > | > | > |rl0 > FreeBSD 4.3 > Bridge > |rl1 > | > HUB----DMZ > > The bridge works very well,for example from the DMZ > the servers in it can "see" Internet and from > internet > I can "see" the servers in the DMZ(Public Ip's). > The problem is with ipf. > If for example we put a simple rule in > /etc/ipf.rules > like this: > block in quick on rl0 > > in order to block all the traffic going to the DMZ > it > happens that packets originated from internet they > by-pass my bridge/firewall! > If you ping for example the bridge they are blocked > but if you ping a machine in the dmz it responds! > arghhh.. > I tried to put the rules for the bridge founded in > the > Ipfilter based firewalls howto but they didn't work. > Any Idea? > Isn't ipfilter supported under freebsd? > Have I to use ipfw? > Many thanks all > bye > > > ______________________________________________________________________ > ______________________________________________________________________ Iscriviti al Meglio della Settimana, la newsletter di Yahoo! Per saperne di pił vai alla pagina: http://buongiorno.yahoo.it To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20011213164800.67963.qmail>