I've been using FreeBSD since 4.0 was new and I've used ipf ever since I had cause to plug a machine into a public IP address. Below is a snippet from a ruleset I've used for years that recently stopped working - first it wouldn't behave on a 5.3 box I set up so I could start playing with the 5.x stuff and it recently stopped working on 4.x systems. I get the feeling some 'upgrades' are being backed into 4.x after being developed in 5.x and I think it started around the time 4.10 came out, but I don't know the details.
I know the changes are in how 'keep state' is handled because I've been wrenching on the config for the last couple of days. I've found that appending a 'keep state' to any rule allowing TCP in seems to help, but I'm still not comfortable with the situation - yesterday I earned myself a drive across town to unlock a box after much testing of rules on the one here in the office.
I'd like a minimal config that would let me protect TCP based services with a single line of configuration and I expect to see one additional line to allow client programs on the box to access other stuff on the net. I have no complaints with UDP/ICMP and DNS is working fine - my issues are purely with TCP at this point. Can anyone suggest a good starting point for such a ruleset?
######### my old methods ########## cat /etc/ipf.rules
# Default policy block in all pass out all
# Keep lo0 intact pass in quick on lo0 all pass out quick on lo0 all
# allow everything from a given trusted remote pass in quick from 192.168.1.0/24 to any
# Log tcp with S/SA or FUP and keep state block in log proto tcp from any to any flags S/SA block in log quick proto tcp from any to any flags FUP # this should allow any client program on the box to initiate connection # ie fetch when building something from ports, etc pass out proto tcp from any to any keep state
cat /etc/ipf.rules ########## new methods I don't find entirely trustworthy ################## # Default policy block in all pass out all
# Keep lo0 intact pass in quick on lo0 all pass out quick on lo0 all
# ssh, migrated per location access control to /etc/hosts.allow pass in quick proto tcp from any to any port eq 22 flags S keep state
block in log proto tcp from any to any flags S/SA block in log quick proto tcp from any to any flags FUP # should allow client programs to get out, but doesn't :-( pass out proto tcp from any to any keep state
-- "Now my sails are filling, with winds so willing, and I'm as good as gone again" - Saint of Circumstance
