Re: Outgoing access from the server is blocked

[Sasa Stupar]

--On 5. marec 2006 10:57 +0100 Michal Mertl <[EMAIL PROTECTED]> wrote:

Sasa Stupar pí?e v ne 05. 03. 2006 v 10:04 +0100:

Hi!

I am new to ipfiter. I have a server (FreeBSD 5.5)in DMZ and I have
configured ipfilter (3.4.35) on this server for firewall. Incoming
access

I think that you might benefit from the upgrade of the server to 6.1 (as
5.5 it has not been released yet). It is better performing, has quite a
few new features and you would also get much newer ipfilter.

is filtered as it suppose but outging access from the server is
completely  blocked; I can't use fetchmail, nor connect to remote smtp
server, etc. Here are my rules:
--------------
# ping
pass in quick proto icmp from 192.168.10.0/24 to <thishost> icmp-type
echo
# ftp
pass in quick proto tcp from any to <thishost> port = 21 flags S keep
state
# ssh
pass in quick proto tcp from 192.168.10.0/24 to <thishost> port = 22
flags  S keep state
# smtp
pass in quick proto tcp from any to <thishost> port = 25 flags S keep
state
# http
pass in quick proto tcp from any to <thishost> port = 80 flags S keep
state
# pop3
pass in quick proto tcp from any to <thishost> port = 110 flags S keep
state block return-rst in quick proto tcp from any to any port = 113
# ntp
pass in quick proto udp from 192.168.10.0/24 to <thishost> port = 123
# samba
pass in quick proto udp from 192.168.10.0/24 to <thishost> port 137 <>
138
# samba
pass in quick proto tcp from 192.168.10.0/24 to <thishost> port = 139
flags  S keep state
# imap
pass in quick proto tcp from any to <thishost> port = 143 flags S keep
state
# https
pass in quick proto tcp from any to <thishost> port = 443 flags S keep
state
# samba
pass in quick proto tcp from 192.168.10.0/24 to <thishost> port = 445
flags  S keep state
# smtps
pass in quick proto tcp from any to <thishost> port = 465 flags S keep
state
# sma
pass in quick proto tcp from any to <thishost> port = 587 flags S keep
state
# pop3s
pass in quick proto tcp from any to <thishost> port = 993 flags S keep
state
# imaps
pass in quick proto tcp from any to <thishost> port = 995 flags S keep
state
# webmin
pass in quick proto tcp from 192.168.10.0/24 to <thishost> port = 10000
flags S keep state
pass out quick from <thishost> to any

You probably want keep state on this rule too. This way the returning
packets will automatically be allowed and not blocked by your last rule.

# lo
pass in quick on lo0 all
# Block everything else
block in quick on fxp0 from any to <thishost>
---------------

What am I missing here?

Regards,

HTH

Michal

Thanx. That did the trick. Now it is working fine.


--
Sasa Stupar