Omar Armas wrote:
I have a FreeBSD 5.3 server and I want it to protect itself with IPF. It has the following services: SSH, SMTP, POP, IMAP, NFS and LDAP.
I want that SSH, NFS and LDAP be available for only a C class(192.168.101.0/24), and that the other mail related protocols(and ICMP) be available for everyone.
I compiled kernel with IPFILTER_DEFAULT_BLOCK and created ipf.rules with:
----------
pass in quick on lo0 all
pass out quick on lo0 all
#pass out all. is it neccesary?
pass out quick on xl0 all keep state
#pass NFS for trusted class
pass in quick from 192.168.101.0/24 on xl0 proto tcp from any to any port = 111 keep state
#pass SSH for trusted class
pass in quick from 192.168.101.0/24 on xl0 proto tcp from any to any port = 22 keep state
#pass LDAP for trusted class
pass in quick from 192.168.101.0/24 on xl0 proto tcp from any to any port = 389 keep state
#pass POP, SMTP and IMAP for all world
pass in quick on xl0 proto tcp from any to any port = 110 keep state
pass in quick on xl0 proto tcp from any to any port = 25 flags S keep state
pass in quick on xl0 proto tcp from any to any port = 143 flags S keep state
#pass ping ping
pass in quick on xl0 proto icmp from any to any
pass in quick on xl0 proto tcp from any to any port = 80 flags S keep state
-----------------
Being xl0 it's only interface, but it's not working. What can be wrong?
Don't you get any error mesages when loading the rules? The syntax of your rules for 111/tcp, 22/tcp and 389/tcp doesn't look correct to me. They should be:
pass in quick on xl0 proto tcp from 192.168.101.0/24 to any \ port = <number> flags S keep state
or even replace "to any" with "to <server's IP address>"
-- Toomas Aas -------------------------------------------------------- |arvutiv�rgu peaspetsialist | head specialist on computer networks| |Tartu Linnakantselei | Tartu City Office | ----------------------------------------------------- +372 736 1274
