On Sat, Mar 09, 2002 at 01:34:51AM +0100, Matthias Buelow wrote:
> Hi,
> 
> I have the following ipfilter rules on 1.5.3_ALPHA:
> 
> pass in all
> pass out all
> pass in quick from 127.0.0.1 to any
> block in quick from any to any port = 515
> block in quick from !xxx.xxx.xxx.0/255.255.255.0 to any port = 111
> block in quick from !xxx.xxx.xxx.0/255.255.255.0 to any port = 2049
> block in quick from !xxx.xxx.xxx.0/255.255.255.0 to any port = 6000
> 
> yet finger (port 79) is blocked from the "outside" (i.e., not matching
> xxx.xxx.xxx.0/255.255.255.0).  I don't understand why, anybody more
> knowledgable?  From my understanding of the manpage it should all
> work well.  No blocking rule is there matching port 79.
> ssh (port 22) can connect to the machine.

Very weird rulebase you have here.
Its doesnt seem like you need a firewall at all, use a host.deny etc.
Third rule .... from 127.0.0.1 blabla
Replace it by pass in quick on lo0
and you'll also wish pass out quick on lo0

then you wish block in quick on [interface] proto tcp from !x.x.x.0/24 to any port = 111 etc.
Make your ruleset match more specific then now and read the man again plz.
The ipf page gives a very nice manual which can help you.
Again though ... i do not see the need to use ipf with such a rulebase.
Like killing a fly with a cannon. Hosts.deny and allow can help as well.
Bye,

Mipam.