netbsd-help: Re: Question about IPFilter and local connections being refused.

Subject: Re: Question about IPFilter and local connections being refused.
To: None <schluntz@workofstone.com>
From: None <netbsd@purk.ee>
List: netbsd-help
Date: 04/09/2002 18:26:08
maybe u just need to drop first line...and the end of your rules
just block all packets in and out
like
block in all on le0
block out all on le0

after that no ping and tracerute ....silence:) from outside:)

Greetings
>
> I have the following rules (at end of message) setup on a
NetBSD/sparc
> 1.5.2 system (with the kernel set to default drop).  It can
connect out
> to other systems with out a problem (even systems it has to go
through
> the gateway for) and other systems can connect in to the box
on the
> ports that are open.
>
> The problem is that I can't connect to any of the ports locally, if I
> try:
>
> telnet localhost 110
>  or
> telnet 10.0.0.110 110
>
> I get the following error:
>
> telnet: Unable to connect to remote host: No route to host
>
> Which confuses me, the routes are there (the local IP address is
> 10.0.0.110):
>
>  $ netstat -rn
>  Routing tables
>
>  Internet:
>  Destination        Gateway            Flags     Refs     Use    Mtu
>  Interface default            10.0.0.100         UGS         0        1
>    1500  le0 10/24              link#1             UC          3
>  0   1500  le0 10.0.0.1           00:a0:cc:3b:90:af  UHLc        1
>   80   1500  le0 10.0.0.100         00:00:c0:5e:b3:0b  UHLc
1
>      0   1500  le0 10.0.0.110         08:00:20:77:06:12  UHLc
0
>        1   1500  lo0 127                127.0.0.1          UGRS
>  0        0  33228  lo0 127.0.0.1          127.0.0.1          UH
>    2        1  33228  lo0
>
> I've tried going so far as to add:
>  pass in quick on lo0 proto tcp from any to any
>  pass in quick on le0 proto tcp from 10.0.0.110/32 to
10.0.0.110/32
>
> to the /etc/ipf.conf file but it doesn't help.  The system works
just
> fine when the firewall is not loaded.
>
> Does anyone have any ideas as to what I'm doing wrong?  I've
looked
> through the lists, and see mention of this kind of error but I don't
> see any  responces.
>
> Thanks for your help!
> -Sean
>
> /etc/ipf.conf
>
>  # Block all traffic if it not now allowed below
>  block in on le0 all
>
>  # Allow the system to act as an Internet client
>  pass out quick on le0 proto tcp from 10.0.0.110/32 to any keep
state
>  pass out quick on le0 proto udp from 10.0.0.110/32 to any keep
state
>  pass out quick on le0 proto icmp from 10.0.0.110/32 to any
keep state
>
>  # Allow inbound ssh connections
>  pass in quick on le0 proto tcp from any to 10.0.0.110/32 port =
22
>  keep state
>
>  # Allow inbound smtp connections
>  pass in quick on le0 proto tcp from any to 10.0.0.110/32 port =
25
>  keep state
>
>  # Allow inbound DNS connections
>  pass in quick on le0 proto tcp from any to 10.0.0.110/32 port =
53
>  keep state pass in quick on le0 proto udp from any to
10.0.0.110/32
>  port = 53 keep state
>
>  # Allow inbound pop3(s) connections
>  pass in quick on le0 proto tcp from any to 10.0.0.110/32 port =
110
>  keep state #pass in quick on le0 proto tcp from any to
10.0.0.110/32
>  port = 995 keep state
>
>  # Allow inbound imap(s) connections
>  pass in quick on le0 proto tcp from any to 10.0.0.110/32 port =
143
>  keep state #pass in quick on le0 proto tcp from any to
10.0.0.110/32
>  port = 993 keep state