'Re: Outgoing access from the server is blocked'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       ipfilter
Subject:    Re: Outgoing access from the server is blocked
From:       Sasa Stupar <sasa () stupar ! homelinux ! net>
Date:       2006-03-05 10:16:12
Message-ID: 16771B6FE8D998C0F8CB147A () [192 ! 168 ! 10 ! 200]
[Download RAW message or body]



--On 5. marec 2006 10:57 +0100 Michal Mertl <mime@traveller.cz> wrote:

> Sasa Stupar pí?e v ne 05. 03. 2006 v 10:04 +0100:
>> Hi!
>>
>> I am new to ipfiter. I have a server (FreeBSD 5.5)in DMZ and I have
>> configured ipfilter (3.4.35) on this server for firewall. Incoming
>> access
>
> I think that you might benefit from the upgrade of the server to 6.1 (as
> 5.5 it has not been released yet). It is better performing, has quite a
> few new features and you would also get much newer ipfilter.
>
>> is filtered as it suppose but outging access from the server is
>> completely  blocked; I can't use fetchmail, nor connect to remote smtp
>> server, etc. Here are my rules:
>> --------------
>> # ping
>> pass in quick proto icmp from 192.168.10.0/24 to <thishost> icmp-type
>> echo
>> # ftp
>> pass in quick proto tcp from any to <thishost> port = 21 flags S keep
>> state
>> # ssh
>> pass in quick proto tcp from 192.168.10.0/24 to <thishost> port = 22
>> flags  S keep state
>> # smtp
>> pass in quick proto tcp from any to <thishost> port = 25 flags S keep
>> state
>> # http
>> pass in quick proto tcp from any to <thishost> port = 80 flags S keep
>> state
>> # pop3
>> pass in quick proto tcp from any to <thishost> port = 110 flags S keep
>> state block return-rst in quick proto tcp from any to any port = 113
>> # ntp
>> pass in quick proto udp from 192.168.10.0/24 to <thishost> port = 123
>> # samba
>> pass in quick proto udp from 192.168.10.0/24 to <thishost> port 137 <>
>> 138
>> # samba
>> pass in quick proto tcp from 192.168.10.0/24 to <thishost> port = 139
>> flags  S keep state
>> # imap
>> pass in quick proto tcp from any to <thishost> port = 143 flags S keep
>> state
>> # https
>> pass in quick proto tcp from any to <thishost> port = 443 flags S keep
>> state
>> # samba
>> pass in quick proto tcp from 192.168.10.0/24 to <thishost> port = 445
>> flags  S keep state
>> # smtps
>> pass in quick proto tcp from any to <thishost> port = 465 flags S keep
>> state
>> # sma
>> pass in quick proto tcp from any to <thishost> port = 587 flags S keep
>> state
>> # pop3s
>> pass in quick proto tcp from any to <thishost> port = 993 flags S keep
>> state
>> # imaps
>> pass in quick proto tcp from any to <thishost> port = 995 flags S keep
>> state
>> # webmin
>> pass in quick proto tcp from 192.168.10.0/24 to <thishost> port = 10000
>> flags S keep state
>> pass out quick from <thishost> to any
>
> You probably want keep state on this rule too. This way the returning
> packets will automatically be allowed and not blocked by your last rule.
>
>> # lo
>> pass in quick on lo0 all
>> # Block everything else
>> block in quick on fxp0 from any to <thishost>
>> ---------------
>>
>> What am I missing here?
>>
>> Regards,
>
> HTH
>
> Michal
>

Thanx. That did the trick. Now it is working fine.


-- 
Sasa Stupar

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic