From owner-freebsd-questions@FreeBSD.ORG Wed Jun 2 07:12:23 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7834116A4CE for ; Wed, 2 Jun 2004 07:12:23 -0700 (PDT) Received: from sv19.dfserver19.com (sv19.dfserver19.com [207.44.192.91]) by mx1.FreeBSD.org (Postfix) with ESMTP id E177C43D31 for ; Wed, 2 Jun 2004 07:12:20 -0700 (PDT) (envelope-from randy@insipidity.co.uk) Received: from host81-152-250-124.range81-152.btcentralplus.com ([81.152.250.124] helo=[192.168.1.40]) by sv19.dfserver19.com with asmtp (Exim 4.20) id 1BVWTd-0001Ed-67 for freebsd-questions@freebsd.org; Wed, 02 Jun 2004 15:11:59 +0100 From: Randy Babb To: FreeBSD Questions Content-Type: text/plain Message-Id: <1086188875.5101.29.camel@localhost> Mime-Version: 1.0 X-Mailer: Ximian Evolution 1.4.6 Date: Wed, 02 Jun 2004 15:12:20 +0000 Content-Transfer-Encoding: 7bit X-AntiAbuse: This header was added to track abuse, please include it with any abuse report X-AntiAbuse: Primary Hostname - sv19.dfserver19.com X-AntiAbuse: Original Domain - freebsd.org X-AntiAbuse: Originator/Caller UID/GID - [0 0] / [47 12] X-AntiAbuse: Sender Address Domain - insipidity.co.uk Subject: IPFILTER Rules X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 02 Jun 2004 14:12:23 -0000 Hi, I'm just learning how to use IPFilter and I'm having some trouble. I hope someone can help me. I have a server running on my LAN I'm trying to set up some rules on, they are basically the same as the ones in Absolute BSD by Michael Lucas. The server is running two instances of Apache (on port 80 and 81, the latter should only be accessible from my machine through the LAN), a POP3 server, the SSH daemon, an FTP server and a proxy server (Squid). When I use these rules all my connections to the server are really slow, except to both instances of Apache for some reason - those are normal. For instance, a connection to the POP3 server would usually be established almost instantly, but now it takes around 80 seconds. If I just use the rules "pass in all" and "pass out all" it works fine, so it is definitely a problem with my rules. Here are the rules: block in log quick from any to any with ipopts block in log quick proto tcp from any to any with short pass in quick on lo0 all pass out quick on lo0 all pass out on rl0 all head 100 block out from 127.0.0.0/8 to any group 100 block out from any to 127.0.0.0/8 group 100 block out from any to 192.168.1.30 group 100 block in on rl0 all head 200 block in from 127.0.0.0/8 to any group 200 block in from 192.168.1.30 to any group 200 pass in quick proto tcp from any to any port = www keep state group 200 pass in quick proto tcp from any to any port = pop3 keep state group 200 pass in quick proto tcp from any to any port = ssh keep state group 200 pass in quick proto tcp from any to any port = ftp keep state group 200 pass in quick proto tcp from any to any port = 8080 keep state group 200 pass in quick proto tcp from 192.168.1.40 to any port = 81 keep state group 200 block return-rst in log proto tcp from any to any flags S/SA group 200 block return-icmp(net-unr) in proto udp all group 200 That last "group 200" is on the end of the previous line, it has just been wrapped in my email client. Thanks, Randy