Re: [7.99.18] ipfilter

To: port-sparc64%netbsd.org@localhost
Subject: Re: [7.99.18] ipfilter
From: christos%astron.com@localhost (Christos Zoulas)
Date: Sun, 19 Jul 2015 17:40:32 +0000 (UTC)

In article <mogj8u$1m0$1%ger.gmane.org@localhost>,
Christos Zoulas <christos%astron.com@localhost> wrote:
>In article <55AB980B.3090606%systella.fr@localhost>,
>BERTRAND JoÃ«l  <joel.bertrand%systella.fr@localhost> wrote:
>>	Hello,
>>
>>	I'm not sure it's a sparc64 specific issue. Maybe I have done a mistake.
>>
>>	I use a blade2000 as a router. WAN is connected to gem0 by a WIMAX 
>>modem. LAN's are connected to hme[0-3].
>>
>>	All but 2222/TCP (ssh) are closed from WAN. Thus, I have written in 
>>/etc/ipf.conf :
>>
>>
>>	If I understand, all connections to 2222/TCP are blocked when they 
>>don't come from rayleigh and newton. But I see on console that some IPv4 
>>(mainly from China) try to connect to my server on 2222/TCP port.
>>
>>	Where is my mistake ?
>
>Start from the more specific rules and end in the more general.
>I.e. flip the order, starting from the last rule going to the first.

Actually that will not work, since your last rules will become allow.
Try something like:

pass in quick log on gem0 proto tcp \
	from rayleigh.systella.fr to any port = 2222 keep state
pass in quick log on gem0 proto tcp \
	from newton.systella.fr to any port = 2222 keep state
pass in quick on hme0 to tap0:192.168.1.1 proto tcp \
         from 192.168.10.250 port = 80 to any keep state
block in quick log on gem0 proto tcp \
	from any to any port = 2222
pass in from any to any
pass out from any to any

christos

References:
- [7.99.18] ipfilter
  - From: BERTRAND Joël
- Re: [7.99.18] ipfilter
  - From: Christos Zoulas

Prev by Date: Re: [7.99.18] ipfilter
Next by Date: Re: [7.99.20] Build error
Previous by Thread: Re: [7.99.18] ipfilter
Indexes:

Home | Main Index | Thread Index | Old Index