IPFILTER rule error
fbsd_user
fbsd_user at a1poweruser.com
Tue Feb 14 07:36:41 PST 2006
First of all you really need to read the ipfilter section of the
FreeBSD handbook.
The correct solution is exampled in the handbook.
You do not need to compile ipfilter in to the kernel to work.
>From your rules I see no need for that head/group stuff so remove
it.
I see rl0 being assigned to private ip address which means that Nic
is facing your LAN which is behind your gateway box. That ip address
range is not routable on the public internet. You have something
mess up big time.
Your firewall rules is suppose to be on the Nic facing the public
internet.
You nat the public ip address to you private LAN ip address.
The reason you have no log records is because your firewall rules
have syntax error and are never loaded. Only rules with log keyword
will generate log records.
Only use rules with quick option. Do not mix quick and non quick
rules.
You need pass in rules for you ISP's dns and dhcp servers to access
your box.
Explain in detail your network layout.
Do you have LAN?
How are you connected to the public internet?
Again I strongly recommend you read the ipfilter section of the
handbook your answers are there.
-----Original Message-----
From: owner-freebsd-questions at freebsd.org
[mailto:owner-freebsd-questions at freebsd.org]On Behalf Of Maxim
Vetrov
Sent: Tuesday, February 14, 2006 7:57 PM
To: freebsd-questions at FreeBSD.org
Subject: Re: IPFILTER rule error
Hi,
Sorry, I really do not want you to guess! Here is what you asked:
kernel conf:
-------------------------------------------------------
...
options IPFILTER
options IPFILTER_LOG
#options IPFILTER_DEFAULT_BLOCK
#options IPSTEALTH
...
-------------------------------------------------------
rc.conf:
-------------------------------------------------------
...
ifconfig_rl0="inet 10.0.1.1 netmask 255.255.255.248"
...
ipnat_enable="YES"
ipfilter_enable="YES"
ipmon_enable="YES"
...
-------------------------------------------------------
services:
-------------------------------------------------------
...
sunrpc 111/tcp rpcbind #SUN Remote Procedure Call
sunrpc 111/udp rpcbind #SUN Remote Procedure Call
...
-------------------------------------------------------
ipf.rules:
-------------------------------------------------------
block in log on rl0 all head 20
block out log on rl0 all head 25
pass in quick on rl0 \
proto tcp/udp from any to any port = sunrpc keep state group 20
pass in quick on rl0 \
proto tcp/udp from any to any port = 717 keep state group 20
pass out quick on rl0 \
proto udp from any to any port = 111 keep state group 20
--------------------------------------------------------
Steps to load the rules:
>ipf -Fa
>ipf -f /etc/ipf.rules
1:ioctl (add/insert rule): No such process
And there is one more problem - despite that I have packet logging
enabled by default (-Ds) through syslogd, log is empty!
syslog.conf:
--------------------------------------------------------
...
security.* /var/log/security
...
--------------------------------------------------------
That file exists and have root rw permissions.
If this help: after I'd moved to 6.0 from 5.4
(backup-format-install-restore), this config stopped to work. I know
that I'm doing something wrong but what exactly?
Regards,
Muxas
_______________________________________________
freebsd-questions at freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to
"freebsd-questions-unsubscribe at freebsd.org"
More information about the freebsd-questions
mailing list