michael schuster wrote: > jack wrote: >> michael schuster wrote: >>> jack wrote: >>>> dhcp can't get a ip until i disable ipfilter. >>>> i have these two rules in my ipf.conf to let dhcp work. >>>> pass out quick on nge0 proto udp from any to any port=67 keep state >>>> pass in quick on nge0 proto udp from any to any port=68 keep state >>>> >>>> i get a ip within a few seconds if i disable the firewall. >>> >>> do you have any other rules in your ipf.conf? >>> >>> Michael >> >> >> block in quick on nge0 proto tcp/udp from any to any port = 111 >> pass in quick on lo0 all >> pass out quick on lo0 all >> >> pass out quick on nge0 proto tcp from any to 206.253.33.130 port=53 >> flags S keep state >> pass out quick on nge0 proto udp from any to 206.253.33.130 port=53 >> keep state >> pass out quick on nge0 proto tcp from any to 206.253.33.131 port=53 >> flags S keep >> state >> pass out quick on nge0 proto udp from any to 206.253.33.131 port=53 >> keep state >> >> pass out quick on nge0 proto udp from any to any port=67 keep state >> pass in quick on nge0 proto udp from any to any port=68 keep state >> pass out quick on nge0 proto tcp from any to any port=80 flags S keep >> state >> pass out quick on nge0 proto tcp from any to any port=443 flags S keep >> state >> pass out quick on nge0 proto tcp from any to any port=110 flags S keep >> state >> pass out quick on nge0 proto tcp from any to any port=25 flags S keep >> state >> pass out quick on nge0 proto tcp from any to any port=21 flags S keep >> state >> pass out quick on nge0 proto tcp from any to any port=22 flags S keep >> state >> >> block out quick on nge0 all > > one observation: from my limited understanding of ipfilter, you could > save yourself all the effort below and just say "block in on nge0 all"
That makes a lot more sense than all this crud i have. >> >> block in quick on nge0 from 192.168.0.0/16 to any #RFC 1918 private IP >> block in quick on nge0 from 172.16.0.0/12 to any #RFC 1918 private IP >> block in quick on nge0 from 10.0.0.0/8 to any #RFC 1918 private IP >> block in quick on nge0 from 127.0.0.0/8 to any #loopback >> block in quick on nge0 from 0.0.0.0/8 to any #loopback >> block in quick on nge0 from 169.254.0.0/16 to any #DHCP auto-config >> block in quick on nge0 from 192.0.2.0/24 to any #reserved for docs >> block in quick on nge0 from 204.152.64.0/23 to any #Sun cluster >> interconnect >> block in quick on nge0 from 224.0.0.0/3 to any #Class D & E >> multicast >> >> block in quick on nge0 all with frags >> block in quick on nge0 proto tcp all with short >> >> block in quick on nge0 all with opt lsrr >> block in quick on nge0 all with opt ssrr >> >> block in quick on nge0 proto tcp from any to any flags FUP >> >> block in quick on nge0 all with ipopts >> >> block in quick on nge0 proto icmp all icmp-type 8 >> >> block in quick on nge0 proto tcp from any to any port=113 >> >> block in quick on nge0 proto tcp/udp from any to any port = 137 >> block in quick on nge0 proto tcp/udp from any to any port = 138 >> block in quick on nge0 proto tcp/udp from any to any port = 139 >> block in quick on nge0 proto tcp/udp from any to any port = 81 >> >> >> block in quick on nge0 all >> >> thanks for helping. > > HTH _______________________________________________ networking-discuss mailing list [email protected]
