My ipfilter rules are overreaching...
Eric Popelka
arickp at cox.net
Thu Nov 27 01:36:35 UTC 2014
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Hello BSD friends,
I've enabled ipfilter by adding the following to my /etc/rc.conf:
ipfilter_enable="YES" # load ipfilter kernel module
ipfilter_rules="/etc/ipf.rules" # my rules file
ipmon_enable="YES" # try to keep out hax0rs
ipmon_flags="-Ds" # run as a daemon, save using syslogd
My rules file (/etc/ipf.rules) reads as follows (not verbatim, trying
to just get to the facts):
# No restrictions on loopback (lo0)
pass in quick on lo0 all
pass out quick on l0 all
# Allow outbound traffic
pass out quick on xn0 all keep state
### SNIP: 6 'pass in' rules to enable DHCP, NTP, ICMP ###
# Allow in the whole subnet assigned to my cable modem
# (hack, eventually want to just allow access to certain ports)
pass in log first on xn0 from 72.205.44.0/23 to any
# Keep out hax0rs
block in log first quick on xn0 all
Unfortunately, this is keeping me out from ssh'ing in to my server.
I get the following message in /var/log/messages:
ipmon: xn0 @0:8 b 72.205.45.###,40455 -> 104.128.###.###,22 PR tcp
len 20 64 -S IN
(### = actual numbers <= 255, obviously)
I'm stumped. I triple-checked that the IP address from which I'm
connecting is in the subnet that I specified in my 'pass in' rule. Am
I not writing my rules in the correct order?
Output from uname:
FreeBSD 10.0-RELEASE #0 r260789: Thu Jan 16 22:34:59 UTC 2014
I ran 'pkg update' and 'pkg upgrade'.
Thanks.
- --
Eric Popelka
arickp at cox.net
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
Comment: GPGTools - https://gpgtools.org
iQIcBAEBCgAGBQJUdngdAAoJEBQPax3MeNrT5mgQANHp72lyQ1ty88p8rdyNeeV2
ye2jaYrkQVzfqLs0AAUVgpaHpX6GcWCqJElIt82rG/1jIZBIkAeWDaG5UpbT13Xf
+V97OgTwZ24fk9i//mTQWakbuQ+Mkfg1P9ecJn3KBTq+HuI14P7g0+33Z1FtCnT6
I+ALNq65vwemat4qJ7IroiDaf3MQWO+7vBFL2ocp3qqB7M/WmPuImHo3z0rd4ihl
q5XSD/QuIAGkX/xa1f35VZ7errA0o6RTXnOWJi/uheE1SClXhfXQvfXycw4sp0KL
fjaO9mgk84yl9y407X2iWQWzJ8wTiWPkBUlEKdC1L0yCYPTQ0IVsuDSOXK2zATn1
RYlJWvSAes+Hgq2oVBr8ChUVLs6OQiktUNQKGqZxYA/5VQ95dFL2DNy0l2iteywx
be5dvQaKN203XyFYujoV6Z49I56OzDXdpdXKRfUDzNhnf8jiBDUhLRCHyXUqMLv2
AZjuzktld3ePwtVaZnREOzDjSqdpejx4Vtgtr/3Ij94Y5LLPS73DYP4+e9l25Qp2
SWuSyZBQZ9DcWIA0UEU6v8tr5Sx02yfaBjWx4CXcK+svM5gk4ife9Cd4v4Pgmc8U
uakqaikyYdQRwHQp7up2vkG5q5ozdAPCoL7Vn/07Tf1sgAyMQ+PU6cIzfqQFY+NJ
g6wrE+wIQWPsu6XDzCwU
=z21E
-----END PGP SIGNATURE-----
More information about the freebsd-questions
mailing list