just try this: ---------- pass in quick on lo0 all pass out quick on lo0 all #pass out all. is it neccesary? pass out quick on xl0 all keep state #pass NFS for trusted class pass in quick on xl0 proto tcp from 192.168.101.0/24 to any port = 111 keep state #pass SSH for trusted class pass in quick on xl0 proto tcp from 192.168.101.0/24 to any port = 22 keep state #pass LDAP for trusted class pass in quick on xl0 proto tcp from 192.168.101.0/24 to any port = 389 keep state #pass POP, SMTP and IMAP for all world pass in quick on xl0 proto tcp from any to any port = 110 keep state pass in quick on xl0 proto tcp from any to any port = 25 flags S keep state pass in quick on xl0 proto tcp from any to any port = 143 flags S keep state #pass ping ping pass in quick on xl0 proto icmp from any to any pass in quick on xl0 proto tcp from any to any port = 80 flags S keep state ----------------- i think this should do what you want (can't try it, because i'm at work)...
regards andy On Wed, January 12, 2005 0:39, Omar Armas said: > I have a FreeBSD 5.3 server and I want it to protect itself with IPF. > It has the following services: SSH, SMTP, POP, IMAP, NFS and LDAP. > I want that SSH, NFS and LDAP be available for only a C > class(192.168.101.0/24), and that the other mail related protocols(and > ICMP) > be available for everyone. > I compiled kernel with IPFILTER_DEFAULT_BLOCK and created ipf.rules with: > > ---------- > pass in quick on lo0 all > pass out quick on lo0 all > #pass out all. is it neccesary? > pass out quick on xl0 all keep state > #pass NFS for trusted class > pass in quick from 192.168.101.0/24 on xl0 proto tcp from any to any port > = > 111 keep state > #pass SSH for trusted class > pass in quick from 192.168.101.0/24 on xl0 proto tcp from any to any port > = > 22 keep state > #pass LDAP for trusted class > pass in quick from 192.168.101.0/24 on xl0 proto tcp from any to any port > = > 389 keep state > #pass POP, SMTP and IMAP for all world > pass in quick on xl0 proto tcp from any to any port = 110 keep state > pass in quick on xl0 proto tcp from any to any port = 25 flags S keep > state > pass in quick on xl0 proto tcp from any to any port = 143 flags S keep > state > #pass ping ping > pass in quick on xl0 proto icmp from any to any > pass in quick on xl0 proto tcp from any to any port = 80 flags S keep > state > ----------------- > > Being xl0 it's only interface, but it's not working. What can be wrong? > > > Omar >
