[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

OBSD_2.9, Squid & IPF keep state

To: misc_(_at_)_openbsd_(_dot_)_org
Subject: OBSD_2.9, Squid & IPF keep state
From: qstreb <qstreb_(_at_)_ism-computer_(_dot_)_de>
Date: Wed, 4 Jul 2001 14:40:07 +0200

Hi misc,

I guess the question is more for the ipf list, but
pls read & and if you have any sugestions would be really helpful

I was happily runing OBSD Firewall ipf+squid for a months at my work
and i was really happy

but since two days I got TDSL and ofcourse I put OpenBSD, so that
everybody could see it - http://qstreb.ath.cx

the point is that with this happen something wrong:

if I skip the use of squid and use only ipf there is no problem -
I can see  http://qstreb.ath.cx from my work LAN

if I use squid & only keep state ipf rules it doesnt work -
I can't see  http://qstreb.ath.cx BUT all other I browse is ok

if I open all connections to work_squid_ip - everything works 
BUT I dont want to do it

# the home ipf rules are not relevant

### Work ipf rules simplified header:
#--------------------------------------------------------------------------
# Group setup:
# 10 external iface - incoming - fxp2
# 11 external iface - outgoing - fxp2
# 20 dmz iface - incoming - fxp1
# 22 dmz iface - outgoing - fxp1
#--------------------------------------------------------------------------
block in log quick all with short
block in log quick all with opt lsrr
block in log quick all with opt ssrr
block in log quick all with ipopts
#--------------------------------------------------------------------------
block in log quick on fxp2 proto tcp from any to any flags FUP
block in log quick on fxp2 proto tcp from any to any flags SF/SFRA
block in log quick on fxp2 proto tcp from any to any flags /SFRA
#--------------------------------------------------------------------------
pass in  quick on lo0 all
pass out  quick on lo0 all
#--------------------------------------------------------------------------
block in  log body on fxp2 all head 10
block out log body on fxp2 all head 11
#--------------------------------------------------------------------------
block in  log on fxp1 all head 20
block out log on fxp1 all head 22
#--------------------------------------------------------------------------


### NOT WORKING RULES body
###
#--------------------------------------------------------------------------
pass in some tcp/udp from smb to smb keep state group 10 
block return-icmp (net-unr) in log  proto udp from any to any group 10
block return-rst            in log  proto tcp from any to any group 10
block in quick proto icmp from any to any icmp-type 8         group 10
#--------------------------------------------------------------------------
pass out quick proto tcp/udp from any to any keep state group 11
pass out quick proto icmp    from any to any keep state group 11

#--------------------------------------------------------------------------
pass in quick proto tcp/udp from any to any keep state group 20
pass in quick proto icmp    from any to any keep state group 20
#--------------------------------------------------------------------------
pass out quick proto tcp/udp from any to any keep state group 22
pass out quick proto icmp    from any to any keep state group 22


### WORKING RULES body
###
#--------------------------------------------------------------------------
pass in quick proto tcp from any to Work_Squid_IP group 10  ##### !!!!!!!!
pass in some tcp/udp from smb to smb keep state group 10
block return-icmp (net-unr) in log  proto udp from any to any group 10
block return-rst            in log  proto tcp from any to any group 10
block in quick proto icmp from any to any icmp-type 8         group 10
#--------------------------------------------------------------------------
pass out quick proto tcp/udp from any to any keep state group 11
pass out quick proto icmp    from any to any keep state group 11

#--------------------------------------------------------------------------
pass in quick proto tcp/udp from any to any keep state group 20
pass in quick proto icmp    from any to any keep state group 20
#--------------------------------------------------------------------------
pass out quick proto tcp/udp from any to any keep state group 22
pass out quick proto icmp    from any to any keep state group 22


------------------------------------------
Best Regards,
qstreb

Prev by Date: Re: OPENBSD_2_9 (SEMMNI, SEMMNS, SHMMAXPGS): httpd Memory fault(core dumped)
Next by Date: Re: OPENBSD_2_9 (SEMMNI, SEMMNS, SHMMAXPGS): httpd Memory fault(core dumped)
Previous by thread: Re: Adding OpenBSD firewall/VPN solution to an existing NT 40 domain
Next by thread: Netgear FA510C
Index(es):
- Date
- Thread

Visit your host, monkey.org