IPFILTER rule error
Maxim Vetrov
muxas at mail.ru
Wed Feb 15 05:05:43 PST 2006
Hi!
Thahks for your attention!
>> First of all you really need to read the ipfilter section of the
FreeBSD handbook...
>> fbsd_user at a1poweruser.com
I've read the handbook. Good starting point! :-) Given that I just
_TEST_ ipf config ported from 5.4 to 6.0 on local LAN, I do not violate
theoretical background of firewalling. Grouping is used to differentiate
inbound\outbound traffic, probably I will use it to diff interfaces.
>> I don't know if you posted the whole ruleset or if you cut out what
seemed irrelevant to keep the post short...
>> Erik Norgaard
Yes, I do not show you the whole story about ipf.rules, only the
skeleton and the problematic lines. The reason for that is that ipfilter
works with basic ipf.rules, and ipfstat confirms that. But no logs as
expected (but eventually I've found where log info went: it appeared at
/var/log/messages, and not in /var/log/security as configured!). By the
way, I prefer to use syslogd because it allows for log rotation, which
is goooood! :-)
Problem with "no such process" appeared when I added to ipf.rules line
**** pass out quick on rl0 \
**** proto udp from any to any port = sunrpc keep state group 20
It doesn't matter whether port parameter is expressed as a name or a
number. I have other lines written both types and all of that works!
Again, the error is presented only when I insert the above line in
ipf.rules. This is an outbound rule; I've had the inbound rule in basic
setup (you can see it in my previous post) and it ran just well!
Ok, in the attachment there is the whole story about ipf.rules as it is.
As I've found from the handbook this way of firewalling is called
"inclusive" %-).
Regards,
Muxas
P.S. I apologize for my message timing, it's the second question i'll
ask after ipf :-)
-------------- next part --------------
################################################################################
# External interface - ppp0 #
################################################################################
#%%%%%%%%%%%%%%%%%% Block-and-log everything that is not allowed explicitly %%%%
#block in log on ppp0 all head 10
#block out log on ppp0 all head 15
#%%%%%%%%%%%%%%%%%% Allow DNS requests %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
#pass out quick on ppp0 \
# proto tcp/udp from any to any port = domain keep state group 15
#%%%%%%%%%%%%%%%%%% Allow outbound HTTP packets %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
#pass out quick on ppp0 \
# proto tcp from any to any port = 80 keep state keep frags group 15
#%%%%%%%%%%%%%%%%%% Allow outbound FTP packets %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
#pass out quick on ppp0 \
# proto tcp from any to any port = 21 keep state group 15
#%%%%%%%%%%%%%%%%%% Allow inbound FTP-data packets %%%%%%%%%%%%%%%%%%%%%%%%%%%%%
#pass in quick on ppp0 \
# proto tcp/udp from any port = 20 to any port > 1024 keep state group 10
#%%%%%%%%%%%%%%%%%% Allow outbound Jabber connections %%%%%%%%%%%%%%%%%%%%%%%%%%
#pass out quick on ppp0 \
# proto tcp from any to any port = 5222 keep state group 15
#%%%%%%%%%%%%%%%%%% Allow POP3 outgoing connections %%%%%%%%%%%%%%%%%%%%%%%%%%%%
#pass out quick on ppp0 \
# proto tcp/udp from any to any port = 110 keep state group 15
#%%%%%%%%%%%%%%%%%% Allow SMTP outgoing connections %%%%%%%%%%%%%%%%%%%%%%%%%%%%
#pass out quick on ppp0 \
# proto tcp/udp from any to any port = 25 keep state group 15
#%%%%%%%%%%%%%%%%%% Allow outgoing CVS connections %%%%%%%%%%%%%%%%%%%%%%%%%%%%%
#pass out quick on ppp0 \
# proto tcp/udp from any to any port = 5999 keep state group 15
################################################################################
# Internal interface #1 - rl0 (10.0.1.0/29) #
################################################################################
#%%%%%%%%%%%%%%%%% Block-and-log everything that is not allowed explicitly %%%%%
block in log on rl0 all head 20
block out log on rl0 all head 25
#pass in on rl0 from 10.0.1.1/29 to any group 20
#pass out on rl0 from any to 10.0.1.1/29 group 25
#%%%%%%%%%%%%%%%%% Allow ping %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
pass in quick on rl0 \
proto icmp all keep state group 20
pass out quick on rl0 \
proto icmp all keep state group 25
#%%%%%%%%%%%%%%%%% Allow DNS requests %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
pass in quick on rl0 \
proto tcp/udp from any to any port = domain keep state group 20
#%%%%%%%%%%%%%%%%% Allow DHCP requests %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
pass in quick on rl0 \
proto tcp/udp from any port = 68 to any port = 67 group 20
#%%%%%%%%%%%%%%%%% Allow HTTP requests from local network %%%%%%%%%%%%%%%%%%%%%%
pass in quick on rl0 \
proto tcp from any to any port = 80 keep state keep frags group 20
#%%%%%%%%%%%%%%%%% Allow FTP requests from local network %%%%%%%%%%%%%%%%%%%%%%%
pass in quick on rl0 proto tcp from any to any port = 21 keep state group 20
#%%%%%%%%%%%%%%%%% Allow inbound FTP-data packets %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
pass out quick on rl0 \
proto tcp/udp from any port = 20 to any port > 1024 keep state group 25
#%%%%%%%%%%%%%%%%% Allow inbound Jabber connections %%%%%%%%%%%%%%%%%%%%%%%%%%%%
pass in quick on rl0 \
proto tcp from any to any port = 5222 keep state group 20
#%%%%%%%%%%%%%%%%% Allow Sun RPC incoming calls %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
pass in quick on rl0 \
proto tcp/udp from any to any port = sunrpc keep state group 20
pass in quick on rl0 \
proto tcp/udp from any to any port = 717 keep state group 20
# the next line raise the error when uncommented
#pass out quick on rl0 \
# proto udp from any to any port = 111 keep state group 20
#%%%%%%%%%%%%%%%%% Allow NFS incoming requests %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
pass in quick on rl0 \
proto tcp/udp from any to any port = 2049 keep state group 20
# mountd fixed port=1041
pass in quick on rl0 \
proto udp from any to any port = 1041 keep state group 20
#%%%%%%%%%%%%%%%% Allow POP3 connections %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
pass in quick on rl0 \
proto tcp/udp from any to any port = 110 keep state group 20
#%%%%%%%%%%%%%%%% Allow SMTP connections %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
pass in quick on rl0 \
proto tcp/udp from any to any port = 25 keep state group 20
#%%%%%%%%%%%%%%%% Allow NetBIOS Naming System service %%%%%%%%%%%%%%%%%%%%%%%%%%
pass in quick on rl0 \
proto tcp/udp from any to any port = 137 keep state group 20
pass out quick on rl0 \
proto tcp/udp from any to any port = 137 keep state group 25
#%%%%%%%%%%%%%%%% Allow NetBIOS Datagram Service %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
pass in quick on rl0 \
proto tcp/udp from any to any port = 138 keep state group 20
pass out quick on rl0 \
proto tcp/udp from any to any port = 138 keep state group 25
#%%%%%%%%%%%%%%%% Allow SMB over NetBIOS over TCP %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
pass in quick on rl0 \
proto tcp/udp from any to any port = 139 keep state group 20
pass out quick on rl0 \
proto tcp/udp from any to any port = 139 keep state group 25
#%%%%%%%%%%%%%%%% Allow SMB Session service %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
pass in quick on rl0 \
proto tcp/udp from any to any port = 445 keep state group 20
pass out quick on rl0 \
proto tcp/udp from any to any port = 445 keep state group 25
#%%%%%%%%%%%%%%% Allow PostgreSQL connections on default port %%%%%%%%%%%%%%%%%%
pass in quick on rl0 \
proto tcp/udp from any to any port = 5432 keep state group 20
pass out quick on rl0 \
proto tcp/udp from any to any port = 5432 keep state group 25
#%%%%%%%%%%%%%%% Allow FireBird connections on default port %%%%%%%%%%%%%%%%%%%%
pass in quick on rl0 \
proto tcp from any to any port = 5030 keep state group 20
pass out quick on rl0 \
proto tcp from any to any port = 5030 keep state group 25
################################################################################
# Internal interface #2 - vr0 (10.0.2.0/29) #
################################################################################
pass in quick on vr0 all
pass out quick on vr0 all
More information about the freebsd-questions
mailing list