netbsd-help: Re: Question about IPFilter and local connections being refused.

Subject: Re: Question about IPFilter and local connections being refused.
To: None <schluntz@workofstone.com>
From: None <netbsd@purk.ee>
List: netbsd-help
Date: 04/09/2002 18:56:54
u have rules that allow incoming traffic to certain ports like
22,143...so on....the first line seems veird:) if u put it at the end
of rules...then u blocking all unwanted packets?:)
i have kinda same rules...i allow packets to 80,22,25,143,443..and
others including icmp are blocked...it works for me:)

Greetings
>
> I have the following rules (at end of message) setup on a
NetBSD/sparc
> 1.5.2 system (with the kernel set to default drop).  It can
connect out
> to other systems with out a problem (even systems it has to go
through
> the gateway for) and other systems can connect in to the box
on the
> ports that are open.
>
> The problem is that I can't connect to any of the ports locally, if I
> try:
>
> telnet localhost 110
>  or
> telnet 10.0.0.110 110
>
> I get the following error:
>
> telnet: Unable to connect to remote host: No route to host
>
> Which confuses me, the routes are there (the local IP address is
> 10.0.0.110):
>
>  $ netstat -rn
>  Routing tables
>
>  Internet:
>  Destination        Gateway            Flags     Refs     Use    Mtu
>  Interface default            10.0.0.100         UGS         0        1
>    1500  le0 10/24              link#1             UC          3
>  0   1500  le0 10.0.0.1           00:a0:cc:3b:90:af  UHLc        1
>   80   1500  le0 10.0.0.100         00:00:c0:5e:b3:0b  UHLc
1
>      0   1500  le0 10.0.0.110         08:00:20:77:06:12  UHLc
0
>        1   1500  lo0 127                127.0.0.1          UGRS
>  0        0  33228  lo0 127.0.0.1          127.0.0.1          UH
>    2        1  33228  lo0
>
> I've tried going so far as to add:
>  pass in quick on lo0 proto tcp from any to any
>  pass in quick on le0 proto tcp from 10.0.0.110/32 to
10.0.0.110/32
>
> to the /etc/ipf.conf file but it doesn't help.  The system works
just
> fine when the firewall is not loaded.
>
> Does anyone have any ideas as to what I'm doing wrong?  I've
looked
> through the lists, and see mention of this kind of error but I don't
> see any  responces.
>
> Thanks for your help!
> -Sean
>
> /etc/ipf.conf
>
>  # Block all traffic if it not now allowed below
>  block in on le0 all
>
>  # Allow the system to act as an Internet client
>  pass out quick on le0 proto tcp from 10.0.0.110/32 to any keep
state
>  pass out quick on le0 proto udp from 10.0.0.110/32 to any keep
state
>  pass out quick on le0 proto icmp from 10.0.0.110/32 to any
keep state
>
>  # Allow inbound ssh connections
>  pass in quick on le0 proto tcp from any to 10.0.0.110/32 port =
22
>  keep state
>
>  # Allow inbound smtp connections
>  pass in quick on le0 proto tcp from any to 10.0.0.110/32 port =
25
>  keep state
>
>  # Allow inbound DNS connections
>  pass in quick on le0 proto tcp from any to 10.0.0.110/32 port =
53
>  keep state pass in quick on le0 proto udp from any to
10.0.0.110/32
>  port = 53 keep state
>
>  # Allow inbound pop3(s) connections
>  pass in quick on le0 proto tcp from any to 10.0.0.110/32 port =
110
>  keep state #pass in quick on le0 proto tcp from any to
10.0.0.110/32
>  port = 995 keep state
>
>  # Allow inbound imap(s) connections
>  pass in quick on le0 proto tcp from any to 10.0.0.110/32 port =
143
>  keep state #pass in quick on le0 proto tcp from any to
10.0.0.110/32
>  port = 993 keep state