[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

ipf questions

To: misc@openbsd.org
Subject: ipf questions
From: leoric@home.com
Date: Fri, 02 Feb 2001 13:40:06 -0600

I was working on writing a new firewall rule set for ipf based on the
ipf-howto. There were some things that i didnt understand very well so
they probably were not implemented correctly in my rules. I am having
problems with people not being able to connect to port 80. I have
connections to port 80 being redirected to another computer for my
netcam. I am also getting this message occasionally:

arplookup: unable to enter address for X.X.X.X

X.X.X.X is not an IP address for a computer on my internal network, nor
is it an IP address that would be given out by @home my ISP. It is not
the same number everytime. I am using ipnat and class C private address
space for my network. de0 is my external nic and I have a static IP
address with @home. I am trying to make my computer as resistant to port
scans as possible. I tried to do this with the keep state feature of IPF
but as I am sure you will be able to see, I am not exactly sure how to
properly implement it. Any advise or links about this would be greatly
appreciated.

Here is a cat of my /etc/ipf.rules as it currently stands:

pass in from any to any
pass out from any to any

pass in proto tcp from any to any flags S keep state keep frags
pass out proto tcp from any to any flags S keep state keep frags

pass in quick on lo0
pass out quick on lo0

block in log quick on de0 proto icmp from any to any icmp-type redir

#the following supposedly will block tcp stealth scans (fin,xmas,null)
and os FP
block in log quick on de0 proto tcp all with short
block in log quick on de0 all with ipopts
#block return-icmp-as-dest(port-unr) in log quick on de0 proto udp from
any to any
block return-rst in log quick on de0 proto tcp from any to any

#blocking private ip address space and my ip addy from coming in de0
block in log quick on de0 from 192.168.0.0/16 to any
block in log quick on de0 from 172.16.0.0/12 to any
block in log quick on de0 from 10.0.0.0/8 to any
block in log quick on de0 from 127.0.0.1/8 to any
block in log quick on de0 from 0.0.0.0/8 to any
block in log quick on de0 from 255.255.255.255/32 to any
block in log quick on de0 from 169.254.0.0/16 to any
block in log quick on de0 from 192.0.2.0/24 to any
block in log quick on de0 from 204.152.64.0/23 to any
block in log quick on de0 from 224.0.0.0/3 to any
block in log quick on de0 from X.X.X.X/32 to any          <----X.X.X.X
is my ip

#keep people out of these services
block in log quick on de0 proto tcp/udp from any to any port = sunrpc
block in log quick on de0 proto tcp/udp from any to any port = nfsd
block in log quick on de0 proto tcp from any to any port 5999 >< 6010


#Block all ICMP destination unreachable packets which are
port-unreachables
block in log quick on de0 proto icmp from any to any icmp-type unreach
code 3

Prev by Date: Re: IPF Prob
Next by Date: Re: apache,php,mysql
Prev by thread: RE: IPF Problem
Next by thread: IPF questions
Index(es):
- Date
- Thread