Can't access rsh listen on lo0

AndygreenNet at netscape.net AndygreenNet at netscape.net
Fri Sep 24 21:08:40 PDT 2004 

Hello freebsd-pf,

Help me please.

I have:
FreeBSD 5_2_1
pf-freebsd-2.03

I'm tried to access rsh listen on lo0.
Connection interrupts with messages:
  rsh: Connection timeout;
  or
  rsh: Connection reset by peer.

My pf.conf.

# Macros: define common values, so they can be referenced and changed easily.
ext_if="{ vlan1, fxp2 }"        # replace with actual external interface name
i.e., dc0
int_if="fxp0"           # replace with actual internal interface name i.e., dc1
ext_bridge_if="{ vlan0, vlan2, vlan3 }"
int_bridge_if="{ xl0, vlan4, vlan5 }"
internal_net_TTK="62.33.196.128/25"
internal_net_RT_COMM="213.59.235.120/29"
external_addr_TTK="62.33.196.254"
external_addr_RT_COMM="213.59.128.130"
restricted_ports="{ 135, 136, 137, 138, 139, 445 }"
allow_tcp_ports="{ ftp, ftp-data, ssh, smtp, domain, http, pop3, ntp, imap,
https, snpp, > 1023}"
allow_udp_ports="{ domain, > 1023}"
ARP_in="inet proto { tcp, udp } from any port uarps to any port > 1023"
ARP_out="inet proto { tcp, udp } from any port > 1023 to any port uarps"

# Options: tune the behavior of pf, default values are given.
set timeout { interval 10, frag 30 }
set timeout { tcp.first 120, tcp.opening 30, tcp.established 86400 }
set timeout { tcp.closing 900, tcp.finwait 45, tcp.closed 90 }
set timeout { udp.first 60, udp.single 30, udp.multiple 60 }
set timeout { icmp.first 20, icmp.error 10 }
set timeout { other.first 60, other.single 30, other.multiple 60 }
set timeout { adaptive.start 0, adaptive.end 0 }
set limit { states 10000, frags 5000 }
set loginterface none
set optimization normal
set block-policy drop
set require-order yes
set fingerprints "/usr/local/etc/pf.os"

# Normalization: reassemble fragments and resolve or reduce traffic ambiguities.
scrub in all

# spamd-setup puts addresses to be redirected into table <spamd>.
table <spamd> persist
no rdr on lo0 from any to any
rdr inet proto tcp from <spamd> to any port smtp -> 127.0.0.1 port 8025

# Filtering: external interfaces
block in log quick on $ext_if inet proto { tcp, udp } from any to any port
$restricted_ports
pass in on $ext_if inet proto icmp from any to any icmp-type { 0, 8 }
pass in quick on $ext_if inet proto tcp from any to any port $allow_tcp_ports
pass in quick on $ext_if inet proto udp from any port $allow_udp_ports to any
port $allow_udp_ports
pass out on $ext_if inet proto icmp from any to any icmp-type { 0, 8 }
pass out quick on $ext_if inet proto tcp from any port $allow_tcp_ports to any
pass out quick on $ext_if inet proto udp from any port $allow_udp_ports to any
port $allow_udp_ports

# Filtering: external bridge interfaces
block in log quick on $ext_bridge_if inet proto { tcp, udp } from any to any port
$restricted_ports
pass in quick on $ext_bridge_if $ARP_in
pass in on $ext_bridge_if inet proto icmp from any to any icmp-type { 0, 8 }
pass in quick on $ext_bridge_if inet proto { tcp, udp } from any to any
pass out quick on $ext_bridge_if $ARP_out
pass out on $ext_bridge_if inet proto icmp from any to any icmp-type { 0, 8 }
pass out quick on $ext_bridge_if inet proto { tcp, udp }  from any to any

# Filtering internal interfaces with keep state, logging blocked packets.
block in log on $int_if all
pass in quick on $int_if $ARP_out keep state
pass in quick on $int_if inet proto icmp all icmp-type { 0, 8 } keep state
pass in quick on $int_if inet proto tcp from { $internal_net_TTK,
$internal_net_RT_COMM } port $allow_tcp_ports to any keep st
ate
pass in quick on $int_if inet proto udp from { $internal_net_TTK,
$internal_net_RT_COMM } port $allow_udp_ports to any port $a
llow_udp_ports keep state

# Filtering internal bridge interfaces with keep state, logging blocked packets.
block in log on $int_bridge_if all
pass in quick on $int_bridge_if $ARP_out keep state
pass in quick on $int_bridge_if inet proto icmp all icmp-type { 0, 8 } keep state
pass in quick on $int_bridge_if inet proto { tcp, udp } from any to any keep state
  
Where I was mistaken.

-- 
Best regards,
A. Kochetkoff                          mailto:andrews at mtelecom.chita.ru


__________________________________________________________________
Switch to Netscape Internet Service.
As low as $9.95 a month -- Sign up today at http://isp.netscape.com/register

Netscape. Just the Net You Need.

New! Netscape Toolbar for Internet Explorer
Search from anywhere on the Web and block those annoying pop-ups.
Download now at http://channels.netscape.com/ns/search/install.jsp

More information about the freebsd-pf mailing list