[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

IPF Issue (Solved thanks to Daniel & Peter)



----- Original Message -----
From: "Peter Hessler" <yodadoa_(_at_)_yahoo_(_dot_)_com>
To: "Papo Napolitano" <papo_(_at_)_dosalcubo_(_dot_)_com>
Sent: Monday, June 11, 2001 8:00 PM
Subject: Re: IPF Issue (Long Mail)


> block in log first quick on xl0 from 10.0.0.0/8 to any
>
> Based on your ipnat rules, 10.*.*.* is your internal network.  try
> commenting out that set, and try it again.

This machine is located between the router and the network switch, using
two network cards, so I'm trying to block traffic coming from the internal
net on the external interface. According to several FAQs that's spoofed
traffic... Is that right?

> also, you have this duplicated, I don't think it will cause problems,
> but try w/o the flags S option.
>
>  # Allow Incoming DNS
>  pass in quick on xl0 proto tcp from any to 10.0.0.2/32 port = 53
>  flags S
>  keep state keep frags
>  pass in quick on xl0 proto udp from any to 10.0.0.2/32 port = 53 keep
>  state
>  keep frags
>
> I seem to remember that it's recommeneded to dump frags, you may want
> to consider having rules w/o keep frags.
>
> Are there any windows boxes on the network? other operating systems?
> Other network apps that ping out for other boxes? (the last few were
> rhetorical, to think about the problem)
>
> Think about changing the default permissions to not be logged (if just
> for now)

After making a couple of changes suggested by Daniel Polak:

-pass out quick on xl0 proto tcp/udp from 200.63.17.2/28  to any keep state
keep frags
-pass out quick on xl0 proto tcp/udp from 10.0.0.0/24 to any keep state keep
frags
+pass out quick on xl0 proto tcp from 200.63.17.2/28  to any flags S keep
state keep frags
+pass out quick on xl0 proto udp from 200.63.17.2/28  to any keep state keep
frags
+pass out quick on xl0 proto tcp from 10.0.0.0/24 to any flags S keep state
keep frags
+pass out quick on xl0 proto udp from 10.0.0.0/24 to any keep state keep
frags

Preserved states have gone down from near 2000 to 580 =)
So I may say that was the primary mistake in the rules.
Anyways, I'm gonna try later on removing the logging & keeping frags just to
try.

Thank you very much Peter.