IPFILTER Rules

[Randy Babb]

Hi,
I'm just learning how to use IPFilter and I'm having some trouble. I
hope someone can help me. I have a server running on my LAN I'm trying
to set up some rules on, they are basically the same as the ones in
Absolute BSD by Michael Lucas. The server is running two instances of
Apache (on port 80 and 81, the latter should only be accessible from my
machine through the LAN), a POP3 server, the SSH daemon, an FTP server
and a proxy server (Squid). 

When I use these rules all my connections to the server are really slow,
except to both instances of Apache for some reason - those are normal.
For instance, a connection to the POP3 server would usually be
established almost instantly, but now it takes around 80 seconds. If I
just use the rules "pass in all" and "pass out all" it works fine, so it
is definitely a problem with my rules.

Here are the rules:

block in log quick from any to any with ipopts
block in log quick proto tcp from any to any with short

pass in quick on lo0 all
pass out quick on lo0 all

pass out on rl0 all head 100
block out from 127.0.0.0/8 to any group 100
block out from any to 127.0.0.0/8 group 100
block out from any to 192.168.1.30 group 100

block in on rl0 all head 200

block in from 127.0.0.0/8 to any group 200
block in from 192.168.1.30 to any group 200

pass in quick proto tcp from any to any port = www keep state group 200
pass in quick proto tcp from any to any port = pop3 keep state group 200
pass in quick proto tcp from any to any port = ssh keep state group 200
pass in quick proto tcp from any to any port = ftp keep state group 200
pass in quick proto tcp from any to any port = 8080 keep state group 200
pass in quick proto tcp from 192.168.1.40 to any port = 81 keep state
group 200

block return-rst in log proto tcp from any to any flags S/SA group 200
block return-icmp(net-unr) in proto udp all group 200


That last "group 200" is on the end of the previous line, it has just
been wrapped in my email client.

Thanks,
Randy