netbsd-help: Re: IPF Configuration

Subject: Re: IPF Configuration
To: Richard Ibbotson <richard@sheflug.co.uk>
From: Manuel Bouyer <bouyer@antioche.eu.org>
List: netbsd-help
Date: 10/30/2003 22:40:35
On Tue, Oct 28, 2003 at 07:12:51PM +0000, Richard Ibbotson wrote:
> Hi
> 
> Further to previous attempts where Rasputin helped me out :)
> 
> I've now got something that is better.  However,  I find that when I
> started downloading e-mail or web pages or packages for a workstation
> that is attached to the network then the net connection drops away and
> then comes back up again a few seconds later.  This has the effect of
> stopping e-mail, web pages and anything else dead in it's tracks.  I
> have to do a Ctrl-c on a workstation and re-start all over a again.
> Not only that it happens every two or three e-mails or so.  Very
> frustrating.
> 
> I need to get away from this situation.  As you can see below I have
> allowed in at port 80, 20 and 113 some tcp.  But, I think this has not
> been done in the way that it should be done.
> 
> Can anyone help me to sort out the last part of IPF.conf so that I can
> get the whole thing to work properly ?
> 
> 
> 
> 
> #  Security policy
> #
> block in log all
> 
> #  Loopback policy: Completely open
> #
> pass in quick on lo0 all
> pass out quick on lo0 all
> pass in quick on ippp0 proto icmp from any to 192.168.1.0/24 icmp-type 0
> pass in quick on ippp0 proto icmp from any to 192.168.1.0/24 icmp-type 11

You should probably add type 3 (ICMP_UNREACH) to the list

> pass in quick on ippp0 proto tcp from any to 192.168.1.0/24 port = 113
> flags S keep state
> pass in quick on ippp0 proto tcp from any to 192.168.1.0/24 port = 20
> flags S keep state
> pass in quick on ippp0 proto tcp from any to 192.168.1.0/24 port = 80
> flags S keep state

Maybe 'keep frags' too ?

> #  Large pile of IANA stuff in here ... for example..
> block in log quick from 37.0.0.0/8 to any
> 
> #  then more it and then
> #  Rasputin's state rules
> #
> pass out on ippp0 proto tcp/udp from any to any keep state

Maybe 'keep frags' too ?

If it still doesn't work, look at the logs, to see if some packets are blocked
which shouldn't


-- 
Manuel Bouyer <bouyer@antioche.eu.org>
     NetBSD: 24 ans d'experience feront toujours la difference
--