IPFILTER rule error
Giorgos Keramidas
keramida at ceid.upatras.gr
Wed Feb 15 08:23:40 PST 2006
On 2006-02-15 16:23, Erik Norgaard <norgaard at locolomo.org> wrote:
> Maxim Vetrov wrote:
> >################################################################################
> ># Internal interface #1 - rl0 (10.0.1.0/29)
> >#
> >################################################################################
> >
> >#%%%%%%%%%%%%%%%%% Block-and-log everything that is not allowed explicitly
> >%%%%%
> >block in log on rl0 all head 20
> >block out log on rl0 all head 25
> >#%%%%%%%%%%%%%%%%% Allow Sun RPC incoming calls
> >%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
> >pass in quick on rl0 \
> > proto tcp/udp from any to any port = sunrpc keep state group 20
> >pass in quick on rl0 \
> > proto tcp/udp from any to any port = 717 keep state group 20
> ># the next line raise the error when uncommented
> >#pass out quick on rl0 \
> ># proto udp from any to any port = 111 keep state group 20
>
> I think someone else already pointed at this: You try to add a rule for
> outbound traffic to the inbound group in the offending line. Try correct
> to group 25.
That's true. I did post the relevant message:
Date: Tue, 14 Feb 2006 17:13:33 +0200
From: Giorgos Keramidas <keramida at ceid.upatras.gr>
Subject: Re: IPFILTER rule error
To: Maxim Vetrov <muxas at mail.ru>
Cc: norgaard at locolomo.org, chris at i13i.com
[...]
Note that you have only set up a group numbered '25' for outgoing
traffic, but then attempt to add a rule to an outgoing group of '20'.
This is the cause of the error you're seeing.
This ruleset should work fine:
# block in log on rl0 all head 20
# block out log on rl0 all head 25
#
# pass in quick on rl0 \
# proto tcp/udp from any to any port = sunrpc keep state group 20
# pass in quick on rl0 \
# proto tcp/udp from any to any port = 717 keep state group 20
# pass out quick on rl0 \
# proto udp from any to any port = 111 keep state group 25
[...]
More information about the freebsd-questions
mailing list