IPF firewalling

Kövesdán Gábor gabor.kovesdan at freemail.hu
Mon Jan 17 13:36:52 PST 2005 

Hello,


>Now reading this - maybe you left out the default action at the top of 
>the ruleset? - I only see pass rules and unless you compiled your kernel 
>with default block, then default is pass, leaving your host with no 
>effective firewall at all.
>
>Should suffice just to flush the rules, unless you compile your kernel 
>with default block. Whatever default is, it is always a good idea for 
>clarity to include a catch all rule.
>
>Also, make sure to add "log" and start ipmon, when something falls 
>through or is blocked for other reasons, you have a log entry stating 
>which rule blocked so you can debug your ruleset. - I see I left it out 
>in the default rules I suggested, these rules should go at top of the file:
>
>block out log all
>block in  log all
>
>Whatever falls through your ruleset will be logged so you can analyse it.
>
>When you flush your rulesets, the state table is not flushed, so you 
>shouldn't loose your connection. Also, I recommend you reading rules 
>into the inactive ruletable first. Then swap. This way you make sure 
>your rules does not contain typos and you don't leave your firewall/host 
>vulnerable.
>
># ipf -IFa && ipf -I -f <rulefile> && ipf -s && sleep 60 && ipf -s
>
>lets you test the new ruleset 60 seconds, should you loose connection. 
>If things work then
>
># ipf -Ifa && ipf -I -f <rulefile> && ipf -s && ipf -IFa

I've resolved the problem with individual pass out rules for tcp, udp and
icmp protocols. I don't know why "pass out all" was not okay, but it wasn't.
Thus my ruleset starts with these lines:

pass out quick on re0 proto tcp from any to any keep state keep frags
pass out quick on re0 proto udp from any to any keep state keep frags
pass out quick on re0 proto icmp from any to any keep state keep frags

Anyway, thanks for your ideas, which were very useful for me. I'm using now
the catch-all rules as You suggested. You also mentioned, there can be some
problems with the ftp server. Could You tell me please, what You meant? Ftp
hasn't been running yet, so I can't test it, but there will also be an ftp
soon.

Thanks,

Gábor Kövesdán

More information about the freebsd-questions mailing list