IPF firewalling

Alvaro J. Gurdián AJGurdian at lanoticia.com
Mon Jan 17 12:33:50 PST 2005 

If you compiled you kernel, and added options IPFILTER_DEFAULT_BLOCK, 
then you need to explicitly allow each service to leave the interface, 
as well as come in thru the interface.  For example add:
pass in quick proto tcp from any to any port = 53 keep state keep keep 
state frags
pass in quick proto udp from any to any port = 53 keep state keep frags

this allows the the computer to attempt to contact the DNS server 
upstream from it.

Hope this helps,
Alvaro Gurdián Jr.


On Jan 16, 2005, at 10:35 AM, Kövesdán Gábor wrote:

> Hi,
>
> I have some trouble with the ipf configuration. I made the following
> ruleset:
>
> pass in quick on rl0 proto udp from any to any port = 68 keep state
> pass in quick proto udp from any to any port = 53 keep state keep frags
> pass in quick on rl0 proto tcp/udp from any to any port = 42 keep 
> state keep
> frags
> pass in quick on rl0 proto tcp from any to any port = 22 flags S keep 
> state
> pass in quick on rl0 proto tcp from any to any port = 25 keep state
> pass in quick on rl0 proto tcp from any to any port = 21 keep state
> pass in quick on rl0 proto tcp from any to any port = 20 keep state
> pass in quick on rl0 proto tcp from any to any port = 80 keep state
>
>
> block return-rst in log quick on rl0 proto tcp from any to any
> block return-icmp-as-dest(port-unr) in log quick on rl0 proto udp from 
> any
> to any
> block in quick on rl0 all
>
> pass in quick on lo0 all
> pass out quick on lo0 all
>
>
>
> Everything seems okay, but the named. Neiher the ISP's nameserver (set 
> by
> the dhcp) nor the local nameserver works. BIND 9 wrote this to
> /var/log/messages:
>
> Jan 16 13:59:35 server named[1028]: starting BIND 9.3.0 -u named -t
> /usr/local/named -c /etc/named.conf
> Jan 16 13:59:35 server named[1028]: could not listen on UDP socket: 
> address
> in use
> Jan 16 13:59:35 server named[1028]: creating IPv4 interface re0 failed;
> interface ignored
> Jan 16 13:59:35 server named[1028]: could not listen on UDP socket: 
> address
> in use
> Jan 16 13:59:35 server named[1028]: creating IPv4 interface lo0 failed;
> interface ignored
> Jan 16 13:59:35 server named[1028]: not listening on any interfaces
> Jan 16 13:59:35 server named[1028]: /etc/named.conf:14: couldn't add 
> command
> channel 127.0.0.1#953: address in
>  use
> Jan 16 13:59:35 server named[1028]: could not listen on UDP socket:
> permission denied
> Jan 16 13:59:35 server named[1028]: creating IPv4 interface re0 failed;
> interface ignored
> Jan 16 13:59:35 server named[1028]: could not listen on UDP socket:
> permission denied
> Jan 16 13:59:35 server named[1028]: creating IPv4 interface lo0 failed;
> interface ignored
>
>
> The rndc doesn't matter, I'm not going to use it, but the neither 
> named can
> listen on the network and the loopback interface. Could You suggest me 
> any
> solution for this trouble? Btw, this machine is going to be a web, dns,
> mail, etc. server and is being tested on an ordinary cable connection,
> that's why I'm using dhcp.
>
> Best regards,
>
> Gábor Kövesdán
>
> _______________________________________________
> freebsd-questions at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to 
> "freebsd-questions-unsubscribe at freebsd.org"
>

More information about the freebsd-questions mailing list