On Fri, Jan 04, 2002 at 10:29:37PM -0500, Todd Gruhns Acct wrote:
> I decided to write my own IPF ruleset. I can now access mail.com,
> but I cannot access netbsd.org. Whats wrong with this IPF ruleset?

What do you mean by "access"?   FTP? HTTP? CVS? 'ping'?

> 
> 
> block  in     quick on ppp0 all   #Absolutely no one allowed in on the ppp0
>                                           #interface

With this rule, any other "block in" rules are redundant, and will never
be in effect.

> 
> 
>   # block invalid source address packets (anti-spoofing rules)
>   block  in log quick on ppp0 from 192.168.0.0/16 to any
>   block  in log quick on ppp0 from 172.16.0.0/12 to any
>   block  in log quick on ppp0 from 10.0.0.0/8 to any
>   block  in log quick on ppp0 from 127.0.0.0/8 to any
> 
>   #NOW LOOSEN RULES TO ALLOW TRAFFIC IN
> 
>   # implicit allow (see section 2.13)
>   pass  out     quick on ppp0 proto tcp/udp all keep state
>   pass  out     quick on ppp0 proto udp     all keep state

These two are redundant, in terms of UDP.

>   pass  out     quick on ppp0 proto icmp all keep state
>   pass  out     quick on ppp0 proto igmp all
> 
> 
> 
> block out log quick all
> 
> 

For what you seem to be after, I'd use the rules
	
	pass in quick on ppp0 icmp from any to any icmp-type 3
			# destination unreachable

        block return-rst in quick on ppp0 proto tcp from any to any
	block return-icmp(host-unr) in quick on ppp0 proto udp from any to any
	block in quick on ppp0 from any to any

	pass out quick on ppp0 proto tcp from any to any flags S keep state
	pass out quick on ppp0 proto udp from any to any keep state
	pass out quick on ppp0 proto icmp from any to any keep state
	pass out quick on ppp0 proto igmp from any to any
			# Do you need IGMP for PPP?

	block out log on ppp0 from any to any

David S.