I have a FreeBSD 5.3 server and I want it to protect itself with IPF. It has the following services: SSH, SMTP, POP, IMAP, NFS and LDAP. I want that SSH, NFS and LDAP be available for only a C class(192.168.101.0/24), and that the other mail related protocols(and ICMP) be available for everyone. I compiled kernel with IPFILTER_DEFAULT_BLOCK and created ipf.rules with:
---------- pass in quick on lo0 all pass out quick on lo0 all #pass out all. is it neccesary? pass out quick on xl0 all keep state #pass NFS for trusted class pass in quick from 192.168.101.0/24 on xl0 proto tcp from any to any port = 111 keep state #pass SSH for trusted class pass in quick from 192.168.101.0/24 on xl0 proto tcp from any to any port = 22 keep state #pass LDAP for trusted class pass in quick from 192.168.101.0/24 on xl0 proto tcp from any to any port = 389 keep state #pass POP, SMTP and IMAP for all world pass in quick on xl0 proto tcp from any to any port = 110 keep state pass in quick on xl0 proto tcp from any to any port = 25 flags S keep state pass in quick on xl0 proto tcp from any to any port = 143 flags S keep state #pass ping ping pass in quick on xl0 proto icmp from any to any pass in quick on xl0 proto tcp from any to any port = 80 flags S keep state ----------------- Being xl0 it's only interface, but it's not working. What can be wrong? Omar
