IPF firewalling
Alvaro J. Gurdián
AJGurdian at lanoticia.com
Mon Jan 17 12:42:26 PST 2005
correction,
I meant
pass out quick on rl0 proto tcp from any to any port = 53 keep state
frags
pass out quick on rl0 proto udp from any to any port = 53 keep state
frags
I did it in kind of a hurry.
On Jan 17, 2005, at 3:33 PM, Alvaro J. Gurdián wrote:
> If you compiled you kernel, and added options IPFILTER_DEFAULT_BLOCK,
> then you need to explicitly allow each service to leave the interface,
> as well as come in thru the interface. For example add:
> pass in quick proto tcp from any to any port = 53 keep state keep keep
> state frags
> pass in quick proto udp from any to any port = 53 keep state keep frags
>
> this allows the the computer to attempt to contact the DNS server
> upstream from it.
>
> Hope this helps,
> Alvaro Gurdián Jr.
>
>
> On Jan 16, 2005, at 10:35 AM, Kövesdán Gábor wrote:
>
>> Hi,
>>
>> I have some trouble with the ipf configuration. I made the following
>> ruleset:
>>
>> pass in quick on rl0 proto udp from any to any port = 68 keep state
>> pass in quick proto udp from any to any port = 53 keep state keep
>> frags
>> pass in quick on rl0 proto tcp/udp from any to any port = 42 keep
>> state keep
>> frags
>> pass in quick on rl0 proto tcp from any to any port = 22 flags S keep
>> state
>> pass in quick on rl0 proto tcp from any to any port = 25 keep state
>> pass in quick on rl0 proto tcp from any to any port = 21 keep state
>> pass in quick on rl0 proto tcp from any to any port = 20 keep state
>> pass in quick on rl0 proto tcp from any to any port = 80 keep state
>>
>>
>> block return-rst in log quick on rl0 proto tcp from any to any
>> block return-icmp-as-dest(port-unr) in log quick on rl0 proto udp
>> from any
>> to any
>> block in quick on rl0 all
>>
>> pass in quick on lo0 all
>> pass out quick on lo0 all
>>
>>
>>
>> Everything seems okay, but the named. Neiher the ISP's nameserver
>> (set by
>> the dhcp) nor the local nameserver works. BIND 9 wrote this to
>> /var/log/messages:
>>
>> Jan 16 13:59:35 server named[1028]: starting BIND 9.3.0 -u named -t
>> /usr/local/named -c /etc/named.conf
>> Jan 16 13:59:35 server named[1028]: could not listen on UDP socket:
>> address
>> in use
>> Jan 16 13:59:35 server named[1028]: creating IPv4 interface re0
>> failed;
>> interface ignored
>> Jan 16 13:59:35 server named[1028]: could not listen on UDP socket:
>> address
>> in use
>> Jan 16 13:59:35 server named[1028]: creating IPv4 interface lo0
>> failed;
>> interface ignored
>> Jan 16 13:59:35 server named[1028]: not listening on any interfaces
>> Jan 16 13:59:35 server named[1028]: /etc/named.conf:14: couldn't add
>> command
>> channel 127.0.0.1#953: address in
>> use
>> Jan 16 13:59:35 server named[1028]: could not listen on UDP socket:
>> permission denied
>> Jan 16 13:59:35 server named[1028]: creating IPv4 interface re0
>> failed;
>> interface ignored
>> Jan 16 13:59:35 server named[1028]: could not listen on UDP socket:
>> permission denied
>> Jan 16 13:59:35 server named[1028]: creating IPv4 interface lo0
>> failed;
>> interface ignored
>>
>>
>> The rndc doesn't matter, I'm not going to use it, but the neither
>> named can
>> listen on the network and the loopback interface. Could You suggest
>> me any
>> solution for this trouble? Btw, this machine is going to be a web,
>> dns,
>> mail, etc. server and is being tested on an ordinary cable connection,
>> that's why I'm using dhcp.
>>
>> Best regards,
>>
>> Gábor Kövesdán
>>
>> _______________________________________________
>> freebsd-questions at freebsd.org mailing list
>> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
>> To unsubscribe, send any mail to
>> "freebsd-questions-unsubscribe at freebsd.org"
>>
>
> _______________________________________________
> freebsd-questions at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to
> "freebsd-questions-unsubscribe at freebsd.org"
>
More information about the freebsd-questions
mailing list