On Mon, 19 Sep 2005 23:20:09 +0200
Erik Nørgaard [EMAIL PROTECTED] wrote:
jonas wrote:
adding a 'keep state' to the 'pass in'-rules solved this problem.
but i still do not understand why it didn't work before, because
outgoing traffic was allowed with
pass out quick on ng0 from any to any keep state
i'ld really prefer to know what's going on there :)
any ideas?
It would help if you would post your ruleset and not the readout,
it's easier to read. Secondly, it is posible to compile ipf with
default block - post the default action also.
Cheers, Erik
/etc/ipf.rules:
### ng0
# allow anything out to the internet
pass out quick on ng0 from any to any keep state
# allow http, https, ssh
pass in log quick on ng0 proto tcp from any to 128.176.0.0/16 port = 80
keep state
pass in log quick on ng0 proto tcp from any to 128.176.0.0/16 port =
443 keep state
pass in log quick on ng0 proto tcp from any to 128.176.0.0/16 port = 22
keep state
pass in log quick on ng0 proto udp from any to 128.176.0.0/16 port = 22
keep state
# outgoing bittorrent data
pass in quick on ng0 proto tcp from any to 128.176.0.0/16 port = 5
# block anything else
block in quick on ng0 proto tcp from any to any port = 111
block in quick on ng0 all
### rl1
# allow pptp-dialout
pass out quick on rl1 from any to 172.16.0.1 keep state
# allow GRE-traffic
pass in quick on rl1 from 172.16.0.1 to 172.16.0.0/16
# block anything else
block in quick on rl1 all
block out quick on rl1 all
IPF is still compiled with default accept (like said in the orig. post)
i didn't have time to recompile it yet and i didn't think this made
sense if too much got blocked anyway ;)
with this config everything works as i want. but why do i need the 'keep
state' to make the webserver accessible?
cya,
jonas
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]
