[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: /etc/ipf.rules (inaccessible web server)



Alexander Farber wrote:
> The complete /etc/ipf.rules file that I am using can be seen at
> http://real.ath.cx/BSDinstall.html and I am also attaching it.

Sorry here's the attachment... I have also tried to set

  block in log quick from 10.0.0.0/8 to any group 100
  block in log quick from any to 10.0.0.0/8 group 100
  block in log quick from 172.16.0.0/16 to any group 100
  block in log quick from any to 172.16.0.0/16 group 100
  #block in log quick from 192.168.0.0/16 to any group 100
  #block in log quick from any to 192.168.0.0/16 group 100

but even then I can't access http://xxx.dyndns.org from the same
machine (but I access it with out problems from an external one)
#	$OpenBSD: ipf.rules,v 1.6 1997/11/04 08:39:32 deraadt Exp $
#
# IP filtering rules.  See the ipf(5) man page for more
# information on the format of this file, and /usr/share/ipf
# for example configuration files.
#
# Pass all packets by default.
# edit the ipfilter= line in /etc/rc.conf to enable IP filtering
#
#pass in from any to any
#pass out from any to any

#--------------------------------------------------------------------------
# tun0 - external interface
# fxp0 - internal interface
#--------------------------------------------------------------------------
# First, nasty pakets which we don't want near us at all
# pakets which are too short to be real except echo replies on lo0
block in log quick all with short
block in log quick all with opt lsrr
block in log quick all with opt ssrr
block in log quick all with ipopts
block in log quick on tun0 all with frags

block in  quick on tun1 all
block out quick on tun1 all

#-------------------------------------------------------------------------
# fuzz any 'nmap' attempt
block in log quick on tun0 proto tcp from any to any flags FUP
block in log quick on tun0 proto tcp from any to any flags SF/SFRA
block in log quick on tun0 proto tcp from any to any flags /SFRA
#-------------------------------------------------------------------------

#--------------------------------------------------------------------------
# loopback packets left unmolested
pass in  quick on lo0 all
pass out quick on lo0 all
#--------------------------------------------------------------------------


#--------------------------------------------------------------------------
# Group setup:
# 100 incoming tun0
# 150 outgoing tun0
# 200 incoming fxp0
# 250 outgoing fxp0
#--------------------------------------------------------------------------
block in  log body on tun0 all head 100
block out log body on tun0 all head 150
#--------------------------------------------------------------------------
block in  log on fxp0 all head 200
block out log on fxp0 all head 250
#--------------------------------------------------------------------------


#--------------------------------------------------------------------------
# incoming tun0 traffic - group 100
#--------------------------------------------------------------------------
# 1) prevent localhost spoofing
block in log quick from 127.0.0.1/32 to 192.168.1.0/24 group 100
block in log quick from any to 127.0.0.1/8 group 100
#--------------------------------------------------------------------------
# 2) deny pakets which should not be seen on the internet (paranoid)
block in log quick from 10.0.0.0/8 to any group 100
block in log quick from any to 10.0.0.0/8 group 100
block in log quick from 172.16.0.0/16 to any group 100
block in log quick from any to 172.16.0.0/16 group 100
#block in log quick from 192.168.0.0/16 to any group 100
#block in log quick from any to 192.168.0.0/16 group 100
#--------------------------------------------------------------------------
# 3) Implemented  Policy

# Allow WEB
pass in quick proto tcp from any to any port = 80  flags S/SA keep state group 100
pass in quick proto tcp from any to any port = 443 flags S/SA keep state group 100

# allow Mail
pass in quick proto tcp from any to any port = 25 flags S/SA keep state group 100

# allow certain classes of ICMP
pass in log quick  proto icmp all icmp-type 0 group 100
pass in log quick  proto icmp all icmp-type 3 group 100
pass in log quick  proto icmp all icmp-type 11 group 100
block in  log proto icmp all group 100

# if nothing applies, block and return icmp-replies (unreachable and rst)
block return-icmp(net-unr) in log proto udp from any to any group 100
block return-rst in log proto tcp from any to any group 100


#--------------------------------------------------------------------------
# outgoing tun0 traffic - group 150
#--------------------------------------------------------------------------

# ALL !!
#pass out log proto tcp/udp from any to any flags S/SA keep state keep frags group 150

# SSH
pass out quick proto tcp from any to any port = 22 flags S/SA keep state group 150

# CVS
pass out quick proto tcp from any to any port = 2401 flags S/SA keep state group 150

# DNS
pass out quick proto tcp/udp from any to any port = 53 keep state group 150

# http-service
pass out quick proto tcp from any to any port = 80 flags S/SA keep state keep frags group 150
pass out quick proto tcp from any to any port = 443 flags S/SA keep state keep frags group 150

# smtp
pass out quick proto tcp from any to any port = 25 flags S/SA keep state group 150

# identd (that we get)
pass out quick proto tcp from any to any port = 113 flags S/SA keep state group 150

# pop3
pass out quick proto tcp from any to any port = 110 flags S/SA keep state group 150

# ftp
pass out quick proto tcp/udp from any to any port = 21 keep state group 150

# NTP
pass out quick proto udp from any to any port = 123  keep state group 150

# nntp
pass out quick proto tcp from any to any port = 119 flags S/SA keep state keep frags group 150

# XMMS
#pass out quick proto tcp from any to any port = 8000 flags S/SA keep state group 150
#pass out quick proto tcp from any to any port = 7500 flags S/SA keep state group 150

# ICQ
pass out quick proto udp from any to any port = 4000 keep state group 150

# Napster
#pass out quick proto tcp from any to any port = 8888 flags S/SA keep state keep frags group 150
#pass out quick proto tcp from any to any port = 8875 flags S/SA keep state keep frags group 150

# IRC chat
#pass out quick proto tcp from any to any port = 6667 flags S/SA keep state keep frags group 150

# Pings
pass out quick proto icmp from any to any keep state group 150

# RealAudio
pass out quick proto tcp from any to any port = 7070 flags S/SA keep state keep frags group 150
pass out quick proto tcp from any to any port = 8080 flags S/SA keep state keep frags group 150
pass out quick proto tcp from any to any port = 554 flags S/SA keep state keep frags group 150

# SHOUTCAST
#pass out quick proto tcp from any to any port = 8038 flags S/SA keep state keep frags group 150


#--------------------------------------------------------------------------

#--------------------------------------------------------------------------
# incoming traffic on fxp0 - group 200
#--------------------------------------------------------------------------
# 1) prevent localhost spoofing
block in log quick from 127.0.0.0/8 to any group 200
#block in log quick from 192.168.0.1/32 to any group 200
block in log quick from 192.168.1.2/32 to any group 200
pass in quick from 192.168.1.0/24 to any  group 200
#--------------------------------------------------------------------------
# outgoing traffic on fxp0 - group 250
#--------------------------------------------------------------------------
block out log quick from 127.0.0.0/8 to any group 250
block out log quick from any to 127.0.0.0/8 group 250
#block out log quick from any to 192.168.0.1/32 group 250
pass out quick from any to any group 250
#--------------------------------------------------------------------------

Visit your host, monkey.org