[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: boot order (bringing up interaces and ipf)

To: ryc <ryc@mail.utexas.edu>
Subject: Re: boot order (bringing up interaces and ipf)
From: "Crist J. Clark" <cristjc@earthlink.net>
Date: Sun, 1 Jul 2001 15:20:18 -0700
Cc: Steve Wingate <steve@velosystems.net>, misc@openbsd.org
Content-Disposition: inline
References: <000901c101eb$13a41fb0$0201000a@rewtbox> <008a01c1025e$fdd7e350$1401a8c0@THINKPAD> <004101c10267$54426910$0201000a@rewtbox>
User-Agent: Mutt/1.2.5i

On Sun, Jul 01, 2001 at 02:52:15PM -0500, ryc wrote:
> Changing the rules to read "from any to any" changes the meaning of the
> rules. I want to block traffic from the outside interface (ne0) to these
> ports, and I want to allow traffic from the other interfaces. Hence the use
> of the interface name. Do you have any other ideas?

I think Steve (I believe, you lost the attribution) meant a rule like,

  block return-rst in log quick on ne0 proto tcp from any to any port = X

This rule still only affects packets coming in on ne0 and does not
match traffic on other interfaces. It does change the meaning of the
rule slightly. _All_ packets coming into ne0 destined for that port
will be dropped as opposed only ones with the destination IP of this
firewall machine. This is a Good Thing if you want to block all
incoming traffic to that port. OTOH, if you want some incoming port
"X" traffic to be routed _through_ the firewall, you should place a
pass rule with the allowed IP destinations in front of this block.

> > Change your rules to read "from any to any".
> >
> >
> > ----- Original Message -----
> > From: "ryc" <ryc@mail.utexas.edu>
> > To: <misc@openbsd.org>
> > Sent: Saturday, June 30, 2001 10:02 PM
> > Subject: boot order (bringing up interaces and ipf)
> >
> >
> > > I ran into a problem and I am not sure what would be the best way to
> > fix
> > > this (OpenBSD 2.9). My problem is that on bootup ipf has an empty set
> > of
> > > rules besides pass in from any to any.. ect.. My internet interface is
> > > configured via dhcp, and is not static. Some of my firewall rules
> > contain
> > > the interface name in them as such:
> > >
> > > block return-rst in log quick on ne0 proto tcp from any to ne0/32 port
> > = X
> > >
> > > (where ne0 is the interface configured via dhcp)
> > >
> > > The problem is that on boot ipf is loaded before the interfaces are
> > > configured... So ipf pukes when trying to load its rules, and when the
> > box
> > > finishes booting the rules are not active (I dont remember the error
> > message
> > > ipf says, but I will go get it from the terminal if anyone wants it).
> > >
> > > I can see why ipf is configured before the interfaces, but doing it
> > this way
> > > screws up my rules.
> > >
> > > Is there a better way to to write the rules so ipf will load them
> > without
> > > the interface having an ip address? Should I just reload the rules in
> > > rc.local? Any ideas?
> > >
> > > Thanks,
> > > ryan

-- 
Crist J. Clark                           cjclark@alum.mit.edu

Follow-Ups:
- Re: boot order (bringing up interaces and ipf)
  - From: ryc <iii@binary.net>

References:
- boot order (bringing up interaces and ipf)
  - From: ryc <ryc@mail.utexas.edu>
- Re: boot order (bringing up interaces and ipf)
  - From: ryc <ryc@mail.utexas.edu>

Prev by Date: Chopin concert
Next by Date: PID
Prev by thread: Re: boot order (bringing up interaces and ipf)
Next by thread: Re: boot order (bringing up interaces and ipf)
Index(es):
- Date
- Thread