My ipfilter rules are overreaching...

Eric Popelka arickp at cox.net
Thu Nov 27 01:36:35 UTC 2014 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Hello BSD friends,

I've enabled ipfilter by adding the following to my /etc/rc.conf:
	ipfilter_enable="YES"   # load ipfilter kernel module
	ipfilter_rules="/etc/ipf.rules"   # my rules file
	ipmon_enable="YES"   # try to keep out hax0rs
	ipmon_flags="-Ds"    # run as a daemon, save using syslogd

My rules file (/etc/ipf.rules) reads as follows (not verbatim, trying
to just get to the facts):

	# No restrictions on loopback (lo0)
	pass in quick on lo0 all
	pass out quick on l0 all

	# Allow outbound traffic
	pass out quick on xn0 all keep state

	### SNIP: 6 'pass in' rules to enable DHCP, NTP, ICMP ###

	# Allow in the whole subnet assigned to my cable modem
	# (hack, eventually want to just allow access to certain ports)
	pass in log first on xn0 from 72.205.44.0/23 to any

	# Keep out hax0rs
	block in log first quick on xn0 all

Unfortunately, this is keeping me out from ssh'ing in to my server.
I get the following message in /var/log/messages:
	ipmon: xn0 @0:8 b 72.205.45.###,40455 -> 104.128.###.###,22 PR tcp
len 20 64 -S IN

(### = actual numbers <= 255, obviously)

I'm stumped. I triple-checked that the IP address from which I'm
connecting is in the subnet that I specified in my 'pass in' rule. Am
I not writing my rules in the correct order?

Output from uname:
FreeBSD 10.0-RELEASE #0 r260789: Thu Jan 16 22:34:59 UTC 2014

I ran 'pkg update' and 'pkg upgrade'.

Thanks.

- -- 

Eric Popelka
arickp at cox.net
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
Comment: GPGTools - https://gpgtools.org

iQIcBAEBCgAGBQJUdngdAAoJEBQPax3MeNrT5mgQANHp72lyQ1ty88p8rdyNeeV2
ye2jaYrkQVzfqLs0AAUVgpaHpX6GcWCqJElIt82rG/1jIZBIkAeWDaG5UpbT13Xf
+V97OgTwZ24fk9i//mTQWakbuQ+Mkfg1P9ecJn3KBTq+HuI14P7g0+33Z1FtCnT6
I+ALNq65vwemat4qJ7IroiDaf3MQWO+7vBFL2ocp3qqB7M/WmPuImHo3z0rd4ihl
q5XSD/QuIAGkX/xa1f35VZ7errA0o6RTXnOWJi/uheE1SClXhfXQvfXycw4sp0KL
fjaO9mgk84yl9y407X2iWQWzJ8wTiWPkBUlEKdC1L0yCYPTQ0IVsuDSOXK2zATn1
RYlJWvSAes+Hgq2oVBr8ChUVLs6OQiktUNQKGqZxYA/5VQ95dFL2DNy0l2iteywx
be5dvQaKN203XyFYujoV6Z49I56OzDXdpdXKRfUDzNhnf8jiBDUhLRCHyXUqMLv2
AZjuzktld3ePwtVaZnREOzDjSqdpejx4Vtgtr/3Ij94Y5LLPS73DYP4+e9l25Qp2
SWuSyZBQZ9DcWIA0UEU6v8tr5Sx02yfaBjWx4CXcK+svM5gk4ife9Cd4v4Pgmc8U
uakqaikyYdQRwHQp7up2vkG5q5ozdAPCoL7Vn/07Tf1sgAyMQ+PU6cIzfqQFY+NJ
g6wrE+wIQWPsu6XDzCwU
=z21E
-----END PGP SIGNATURE-----

More information about the freebsd-questions mailing list