On Mon, 19 Sep 2005 23:20:09 +0200 Erik Nørgaard <[EMAIL PROTECTED]> wrote:
> jonas wrote: > > adding a 'keep state' to the 'pass in'-rules solved this problem. > > but i still do not understand why it didn't work before, because > > outgoing traffic was allowed with > > "pass out quick on ng0 from any to any keep state" > > i'ld really prefer to know what's going on there :) > > > > any ideas? > > It would help if you would post your ruleset and not the readout, > it's easier to read. Secondly, it is posible to compile ipf with > default block - post the default action also. > > Cheers, Erik /etc/ipf.rules: ### ng0 # allow anything out to the internet pass out quick on ng0 from any to any keep state # allow http, https, ssh pass in log quick on ng0 proto tcp from any to 128.176.0.0/16 port = 80 keep state pass in log quick on ng0 proto tcp from any to 128.176.0.0/16 port = 443 keep state pass in log quick on ng0 proto tcp from any to 128.176.0.0/16 port = 22 keep state pass in log quick on ng0 proto udp from any to 128.176.0.0/16 port = 22 keep state # outgoing bittorrent data pass in quick on ng0 proto tcp from any to 128.176.0.0/16 port = 55555 # block anything else block in quick on ng0 proto tcp from any to any port = 111 block in quick on ng0 all ### rl1 # allow pptp-dialout pass out quick on rl1 from any to 172.16.0.1 keep state # allow GRE-traffic pass in quick on rl1 from 172.16.0.1 to 172.16.0.0/16 # block anything else block in quick on rl1 all block out quick on rl1 all IPF is still compiled with default accept (like said in the orig. post) i didn't have time to recompile it yet and i didn't think this made sense if too much got blocked anyway ;) with this config everything works as i want. but why do i need the 'keep state' to make the webserver accessible? cya, jonas _______________________________________________ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
