ipf problem

ipf problem

Post by Murray Bozinsk » Fri, 03 Nov 2000 08:27:45



Hi,

I got a silly problem with ipf and configuring a firewall.
I read the obsd faq, ipf man page and ipf howto but I still can't solve
my problem.

My ipf.rules file looks similar to this:

#------ start ------
pass in from any to any
pass out from any to any

# block all udp except dns

pass in quick on ne3 proto udp from any to any port = 53
block in on ne3 proto udp from any to any

# block tcp to known services

block return-rst in log on ne3 proto tcp from any to any flags S/SA
block return-rst in on ne3 proto tcp from any to any port = auth flags
S/SA
# ------ end -----

I am trying to block all upd packets comming in on ne3 except these for
port 53 (dns). The blocking works fine, but it blocks the dns packets as
well, which I don't understand why. I tried to swap the lines: first
block then pass, with quick and without but it never worked.
I am sure it is pretty easy but I just can't see what I do wrong.

Thanks for any help.

Murray

PS: Yes, I did "ipf -Fa -f /etc/ipf.rules" after each change on
/etc/ipf.rules

 
 
 

ipf problem

Post by A farmer using BSD, eh » Fri, 03 Nov 2000 08:42:47



> # block all udp except dns
> pass in quick on ne3 proto udp from any to any port = 53
> block in on ne3 proto udp from any to any

> I am trying to block all upd packets comming in on ne3 except these for
> port 53 (dns). The blocking works fine, but it blocks the dns packets as
> well, which I don't understand why. I tried to swap the lines: first
> block then pass, with quick and without but it never worked.
> I am sure it is pretty easy but I just can't see what I do wrong.

Very old faq, mind you!
pass out quick on ne3 proto udp from any to any port = 53 kee state
block in quick on ne3 proto udp all
--
A farmer would have more time farming BSD after Thanksgiving

 
 
 

ipf problem

Post by Chri » Wed, 08 Nov 2000 04:00:00


Quote:> I got a silly problem with ipf and configuring a firewall.
> I read the obsd faq, ipf man page and ipf howto but I still can't solve
> my problem.

> My ipf.rules file looks similar to this:

> #------ start ------
> pass in from any to any
> pass out from any to any

> # block all udp except dns

> pass in quick on ne3 proto udp from any to any port = 53

just add
    pass out quick on ne3 proto udp from any to any port = 53
so it will catch both incoming and outgoing packets on 53

Quote:> block in on ne3 proto udp from any to any

> # block tcp to known services

> block return-rst in log on ne3 proto tcp from any to any flags S/SA
> block return-rst in on ne3 proto tcp from any to any port = auth flags
> S/SA
> # ------ end -----

It should work ^_^ , does it ?
Chris
 
 
 

ipf problem

Post by Murray Bozinsk » Thu, 09 Nov 2000 04:00:00


Quote:> It should work ^_^ , does it ?

Yes it does, thanks ya'll!
Murray
 
 
 

ipf problem

Post by Chri » Sat, 11 Nov 2000 16:34:33


You are welcome

*another happy BSD user*

^_^

--
--------------------------------------
?tBSD R??ks
http://www.NetBSD.org


Quote:> > It should work ^_^ , does it ?

> Yes it does, thanks ya'll!
> Murray

 
 
 

1. ipf problems

I'm experiencing a weird problem with ipfilter/ipnat.  I am forwarding
some ports (specifically Apache is where this cropped up first) with
my router which is a sparc running S10 FCS.

The problem is, the router is randomly refusing the connections.
Only about half of them make it through fine.  The router is not under
heavy load, on average handling ~250 connections at a time.  Watching
with snoop, I can see that these connection attempts are never
being forwarded to the internal machine at all.

This issue seems to be restricted only to ports I am forwarding.

Here is some relevant configuration:

# ipf.conf
# mxfe0 is the external interface, hme0 the internal

# trust internal devices
pass in quick on lo0 all
pass out quick on lo0 all
pass in quick on hme0 all
pass out quick on hme0 all

# default to blocking everything else
block in all
block out all

# allow new outbound connections
pass out quick on mxfe0 proto tcp from any to any keep state keep frags
pass out quick on mxfe0 proto udp from any to any keep state keep frags
pass out quick on mxfe0 proto icmp from any to any keep state

# redirected ports
pass in quick on mxfe0 proto tcp from any to any port = 80 flags S keep state

# ipnat.conf
map mxfe0 192.168.0.0/24 -> 0/32 proxy port ftp ftp/tcp
map mxfe0 192.168.0.0/24 -> 0/32 portmap tcp/udp auto
map mxfe0 192.168.0.0/24 -> 0/32

rdr mxfe0 0.0.0.0/0 port 80 -> 192.168.0.120 port 80

Any ideas?

Thanks,
Eric

2. problem with kdmconfig installing solaris 8 on intel

3. IPF problem

4. TickCount equivalent?

5. ipf problem on Solaris 10

6. kaboodle driving me nuts

7. IPF problem

8. useradd doesn't add after uid 100

9. IPF Problem.

10. IPF problem

11. ipf problems

12. IPF problem

13. ipf problem with source routing