just try this:
----------
pass in quick on lo0 all
pass out quick on lo0 all
#pass out all. is it neccesary?
pass out quick on xl0 all keep state
#pass NFS for trusted class
pass in quick on xl0 proto tcp from 192.168.101.0/24 to any port = 111
keep state
#pass SSH for trusted class
pass in quick on xl0 proto tcp from 192.168.101.0/24 to any port =  22
keep state
#pass LDAP for trusted class
pass in quick on xl0 proto tcp from 192.168.101.0/24 to any port =  389
keep state
#pass POP, SMTP and IMAP for all world
pass in quick on xl0 proto tcp from any to any port = 110 keep state
pass in quick on xl0 proto tcp from any to any port = 25 flags S keep state
pass in quick on xl0 proto tcp from any to any port = 143 flags S keep state
#pass ping ping
pass in quick on xl0 proto icmp from any to any
pass in quick on xl0 proto tcp from any to any port = 80 flags S keep state
-----------------
i think this should do what you want (can't try it, because i'm at work)...

regards
andy


On Wed, January 12, 2005 0:39, Omar Armas said:
> I have a FreeBSD 5.3 server and I want it to protect itself with IPF.
> It has the following services: SSH, SMTP, POP, IMAP, NFS and LDAP.
> I want that SSH, NFS and LDAP be available for only a C
> class(192.168.101.0/24), and that the other mail related protocols(and
> ICMP)
> be available for everyone.
> I compiled kernel with IPFILTER_DEFAULT_BLOCK and created ipf.rules with:
>
> ----------
> pass in quick on lo0 all
> pass out quick on lo0 all
> #pass out all. is it neccesary?
> pass out quick on xl0 all keep state
> #pass NFS for trusted class
> pass in quick from 192.168.101.0/24 on xl0 proto tcp from any to any port
> =
> 111 keep state
> #pass SSH for trusted class
> pass in quick from 192.168.101.0/24 on xl0 proto tcp from any to any port
> =
> 22 keep state
> #pass LDAP for trusted class
> pass in quick from 192.168.101.0/24 on xl0 proto tcp from any to any port
> =
> 389 keep state
> #pass POP, SMTP and IMAP for all world
> pass in quick on xl0 proto tcp from any to any port = 110 keep state
> pass in quick on xl0 proto tcp from any to any port = 25 flags S keep
> state
> pass in quick on xl0 proto tcp from any to any port = 143 flags S keep
> state
> #pass ping ping
> pass in quick on xl0 proto icmp from any to any
> pass in quick on xl0 proto tcp from any to any port = 80 flags S keep
> state
> -----------------
>
> Being xl0 it's only interface, but it's not working. What can be wrong?
>
>
> Omar
>


Reply via email to