norgaard at locolomo.org
Wed Apr 26 07:58:39 UTC 2006
Bradford Fisher wrote:
> Currently, I have FreeBSD 6.0 p7 running with the GENERIC kernel. In
> rc.conf, I have set the options: ipfilter_enable="YES",
> ipfilter_rules="/etc/ipf.rules", ipmon_enable="YES", ipmon_flags="-Ds" .
Looks ok, but you should be able to check that the rules are actually
> I then proceeded to configure /etc/ipf.rules as follows:
> # IP Filter Rules File
> # Block Garbage
> block in log quick from any to any with ipopts
> block in log quick proto tcp from any to any with short
> # System Loopback Interface
> pass in quick on lo0 all
> pass out quick on lo0 all
> # Outbound Traffic
> pass out on vr0 all head 100
> block out from 127.0.0.0/8 to any group 100
> block out from any to 127.0.0.0/8 group 100
> block out from any to my.ip.address/32 group 100
> # Inbound Traffic
> block in on vr0 from any to any head 200
> block in from 127.0.0.0/8 to any group 200
> block in from 192.168.254.50/32 to any group 200
> pass in quick proto tcp from any to any port = www keep state group 200
> pass in quick proto tcp from any to any port = pop3 keep state group 200
> pass in quick proto tcp from any to any port = smtp keep state group 200
> pass in quick proto tcp from any to any port = 22 keep state group 200
> (have also added flags S/SA with no luck)
> block return-rst in log proto tcp from any to any flags S/SA group 200
> block return-icmp(net-unr) in proto udp all group 200
Is this the _whole_ ruleset?
1st, when debugging: Add 'log' to all rules in particular block rules.
2nd, your rule for ssh should be:
pass in quick proto tcp from any to any port = ssh flags S/SA \
keep state group 200
3rd, the rules
block in from 127.0.0.0/8 to any group 200
block in from 192.168.254.50/32 to any group 200
Have no effect because there is no quick keyword: Packets will be
blocked either by the head rule, or the last two in that group or passed
by one of the pass rules.
4th, If you insert 'quick' in the head-rules, packets will be checked
against the rules in that group and any subgroups. Otherwise the packet
may go up the tree and be blocked by other rules.
> As I do not have a webserver installed and configured at the time nor a
> mailer daemon configured, I have not tested the www, pop3, or smtp rules
> yet, but I do use SSH frequently and have found that with the above
> ruleset enabled, I cannot get connected. The weird part is that when I
> open the SSH client, I get a prompt for my username, but after sending
> the username, my connection times out before receiving the second prompt
> for my password (this does not happen when I have IP Filter disabled).
> I believe that the line "block in on vr0 from any to any head 200" is
> the culprit responsible for my troubles, but can't figure out why it
> would be a problem since I have specifically stated a pass statement for
> the SSH.
You can also use snort to sniff on the interface while logging in, so
you can see which packets are sent/received.
> I also realize that IP Filter is probably becoming a deprecated
> technology new solutions are coming into play (I'm mainly using IP
> Filter as a means to get my feet wet as I follow along with Lucas).
> However, it anyone has any suggestions as to what packet filtering
> technology to deploy and configure, I'm more than willing to take a
Take a look at packet filter, for simple rule sets it is easy to
migrate, you just can't use groups but have to order your rules
carefully, and be sure to specify interface in all rules.
Ph: +34.666334818 web: www.locolomo.org
S/MIME Certificate: www.daemonsecurity.com/ca/8D03551FFCE04F0C.crt
Subject ID: 69:79:B8:2C:E3:8F:E7:BE:5D:C3:C3:B1:74:62:B8:3F:9F:1F:69:B9
More information about the freebsd-questions