[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: boot order (bringing up interaces and ipf)
The behavior that I desire is to block packets comming in on ne0 (the
internet interface) to the port X. I dont want to block any other traffic.
The reason I want to block these packets is to provide extra security
against people from the outside accessing my services (such as database
servers, proxies, ect.. ). The problem is that at the time the ipf rules are
loaded ne0 does not have an ip address and ipf wont load the rule. Any other
suggestions?
Thanks for the help,
ryan
> On Sun, Jul 01, 2001 at 02:52:15PM -0500, ryc wrote:
> > Changing the rules to read "from any to any" changes the meaning of the
> > rules. I want to block traffic from the outside interface (ne0) to these
> > ports, and I want to allow traffic from the other interfaces. Hence the
use
> > of the interface name. Do you have any other ideas?
>
> I think Steve (I believe, you lost the attribution) meant a rule like,
>
> block return-rst in log quick on ne0 proto tcp from any to any port = X
>
> This rule still only affects packets coming in on ne0 and does not
> match traffic on other interfaces. It does change the meaning of the
> rule slightly. _All_ packets coming into ne0 destined for that port
> will be dropped as opposed only ones with the destination IP of this
> firewall machine. This is a Good Thing if you want to block all
> incoming traffic to that port. OTOH, if you want some incoming port
> "X" traffic to be routed _through_ the firewall, you should place a
> pass rule with the allowed IP destinations in front of this block.
>
> > > Change your rules to read "from any to any".
> > >
> > >
> > > ----- Original Message -----
> > > From: "ryc" <ryc@mail.utexas.edu>
> > > To: <misc@openbsd.org>
> > > Sent: Saturday, June 30, 2001 10:02 PM
> > > Subject: boot order (bringing up interaces and ipf)
> > >
> > >
> > > > I ran into a problem and I am not sure what would be the best way to
> > > fix
> > > > this (OpenBSD 2.9). My problem is that on bootup ipf has an empty
set
> > > of
> > > > rules besides pass in from any to any.. ect.. My internet interface
is
> > > > configured via dhcp, and is not static. Some of my firewall rules
> > > contain
> > > > the interface name in them as such:
> > > >
> > > > block return-rst in log quick on ne0 proto tcp from any to ne0/32
port
> > > = X
> > > >
> > > > (where ne0 is the interface configured via dhcp)
> > > >
> > > > The problem is that on boot ipf is loaded before the interfaces are
> > > > configured... So ipf pukes when trying to load its rules, and when
the
> > > box
> > > > finishes booting the rules are not active (I dont remember the error
> > > message
> > > > ipf says, but I will go get it from the terminal if anyone wants
it).
> > > >
> > > > I can see why ipf is configured before the interfaces, but doing it
> > > this way
> > > > screws up my rules.
> > > >
> > > > Is there a better way to to write the rules so ipf will load them
> > > without
> > > > the interface having an ip address? Should I just reload the rules
in
> > > > rc.local? Any ideas?
> > > >
> > > > Thanks,
> > > > ryan
>
> --
> Crist J. Clark cjclark@alum.mit.edu