Subject: Re: IPFiler ( ipf ) for dial-up and LAN
To: <>
From: David Forrai <d.forrai@ieee.org>
List: port-i386
Date: 04/12/2002 22:10:49
There is a problem with the default sequence in which rc.d executes the scripts
that support ipfilter. I submitted a bug report that didn't seem to lead to
any change. I don't remember the details, but these are the requirement lines
I have in three rc.d scripts that I think made things work (making sysctl a
requirement for ipnat may have been the problem):
ipfilter: # REQUIRE: root beforenetlkm mountcritlocal tty
ipnat: # REQUIRE: ipfilter mountcritremote sysctl
sysctl: # REQUIRE: root ipfilter ipsec
If it helps at all, this is my ipf.conf file I've set up to use with my dial-up
and my LAN:
# Block traffic from reserved addresses on the Internet
#
# 192.168.0.0/16 (reserved for internal networks)
# 172.16.0.0/12 (reserved for internal networks)
# 10.0.0.0/8 (reserved for internal networks)
# 0.0.0.0/8 (used strangely by some stacks for routing)
# 127.0.0.0/8 (the localhost)
# 169.254.0.0/16 (IANA use)
# 192.0.2.0/24 (netblock for documentation authors)
# 204.152.64.0/23 (Sun Microsystems cluster interconnects)
# 224.0.0.0/3 (class D and E multicasts)
#
block in quick on ppp0 from 192.168.0.0/16 to any
block in quick on ppp0 from 172.16.0.0/12 to any
block in quick on ppp0 from 10.0.0.0/8 to any
block in quick on ppp0 from 0.0.0.0/8 to any
block in quick on ppp0 from 127.0.0.0/8 to any
block in quick on ppp0 from 169.254.0.0/16 to any
block in quick on ppp0 from 192.0.2.0/24 to any
block in quick on ppp0 from 204.152.64.0/23 to any
block in quick on ppp0 from 224.0.0.0/3 to any
block out quick on ppp0 from 192.168.0.0/16 to any
block out quick on ppp0 from 172.16.0.0/12 to any
block out quick on ppp0 from 10.0.0.0/8 to any
block out quick on ppp0 from 0.0.0.0/8 to any
block out quick on ppp0 from 127.0.0.0/8 to any
block out quick on ppp0 from 169.254.0.0/16 to any
block out quick on ppp0 from 192.0.2.0/24 to any
block out quick on ppp0 from 204.152.64.0/23 to any
block out quick on ppp0 from 224.0.0.0/3 to any
# Let all from the LAN traffic out to the Internet.
# This makes us a completely open Internet client.
#
pass out quick on ppp0 proto tcp from any to any keep state
pass out quick on ppp0 proto udp from any to any keep state
pass out quick on ppp0 proto icmp from any to any keep state
# Block all packets originating from the Internet
#
block in on ppp0 all
"zuan ." wrote:
> >Look in /usr/share/examples/ipf/mediaone.
> >Basically put this in /etc/ipnat.conf:
> >map ppp0 192.168.1.0/24 -> 0/32 proxy port ftp ftp/tcp
> >map ppp0 192.168.1.0/24 -> 0/32 portmap tcp/udp 1024:65535
> >map ppp0 192.168.1.0/24 -> 0/32
> >
> >You also need to enable 'options GATEWAY' in your kernel, or add the
> >following to /etc/sysctl.conf:
> > net.inet.ip.forwarding=1
> >
> >Also in /etc/rc.conf:
> > ipnat=YES
>
> ermm i have that in my ipnat.conf
>
> ---
> map ppp0 192.168.1.0/24 -> 0/32 proxy port ftp ftp/tcp
> map ppp0 192.168.1.0/24 -> 0/32 portmap tcp/udp 40000:60000
> map ppp0 192.168.1.0/24 -> 0/32
> rdr ppp0 0.0.0.0/0 port 80 -> 192.168.1.123 port 80
> rdr ppp0 0.0.0.0/0 21 ftp -> 192.168.1.10 21 ftp
> ---
>
> what about ipf.conf ??
> i try make some rules but it end up blocking my LAN from access the internet
> so right now i only have this :
>
> pass in quick on rtk0 all
> pass out quick on rtk0 all
>
> pass in quick on ppp0 all
> pass out quick on ppp0 all
>
> pass in quick on lo0 all
> pass out quick on lo0 all
>
> _________________________________________________________________
> Send and receive Hotmail on your mobile device: http://mobile.msn.com