Date: Tue, 25 Apr 2006 22:40:08 -0400 From: "Bradford Fisher" <bfisher@affidavitmaker.com> To: <freebsd-questions@freebsd.org> Subject: IP Filter Message-ID: <53599B87179DE947A3F8E90550BA89296C14@amserver.AffidavitMaker.local>
next in thread | raw e-mail | index | archive | help
Recently I acquired Michael Lucas's AbsoluteBSD. And while it was written for FreeBSD version 4.x, I figured that I would follow along with it in hopes that I could apply some of his discussed topics to my FreeBSD 6.0 setup as I began learning about the operating system and the administration of a webserver. =20 However, upon entering the section regarding IP Filter, I have come across a couple differences and had some trouble. The differences lie with how IP Filter was implemented. Where Lucas discussed compiling IP Filter directly into the kernel, the handbook mentioned the pre-compiled version of IP Filter into the base operating system and how to enable it through rc.conf. (I have tried both and now believe that the error is not in how I enabled IP Filter, but in the rules themselves) =20 Currently, I have FreeBSD 6.0 p7 running with the GENERIC kernel. In rc.conf, I have set the options: ipfilter_enable=3D"YES", ipfilter_rules=3D"/etc/ipf.rules", ipmon_enable=3D"YES", = ipmon_flags=3D"-Ds" . =20 I then proceeded to configure /etc/ipf.rules as follows: # IP Filter Rules File # Block Garbage block in log quick from any to any with ipopts block in log quick proto tcp from any to any with short =20 # System Loopback Interface pass in quick on lo0 all pass out quick on lo0 all =20 # Outbound Traffic pass out on vr0 all head 100 block out from 127.0.0.0/8 to any group 100 block out from any to 127.0.0.0/8 group 100 block out from any to my.ip.address/32 group 100 =20 # Inbound Traffic block in on vr0 from any to any head 200 block in from 127.0.0.0/8 to any group 200 block in from 192.168.254.50/32 to any group 200 pass in quick proto tcp from any to any port =3D www keep state group = 200 pass in quick proto tcp from any to any port =3D pop3 keep state group = 200 pass in quick proto tcp from any to any port =3D smtp keep state group = 200 pass in quick proto tcp from any to any port =3D 22 keep state group 200 (have also added flags S/SA with no luck) block return-rst in log proto tcp from any to any flags S/SA group 200 block return-icmp(net-unr) in proto udp all group 200 =20 --- =20 As I do not have a webserver installed and configured at the time nor a mailer daemon configured, I have not tested the www, pop3, or smtp rules yet, but I do use SSH frequently and have found that with the above ruleset enabled, I cannot get connected. The weird part is that when I open the SSH client, I get a prompt for my username, but after sending the username, my connection times out before receiving the second prompt for my password (this does not happen when I have IP Filter disabled). =20 I believe that the line "block in on vr0 from any to any head 200" is the culprit responsible for my troubles, but can't figure out why it would be a problem since I have specifically stated a pass statement for the SSH. =20 I hope that someone will be able to take a look at my ruleset and figure out what my problem is. And if at all possible, a brief explanation as to why. My whole goal with this project is to learn about the operating system and administration. =3D) =20 I also realize that IP Filter is probably becoming a deprecated technology new solutions are coming into play (I'm mainly using IP Filter as a means to get my feet wet as I follow along with Lucas). However, it anyone has any suggestions as to what packet filtering technology to deploy and configure, I'm more than willing to take a look! =20 Thanks for your time - Bradford Fisher
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?53599B87179DE947A3F8E90550BA89296C14>