netbsd-help: IPF Conf

Subject: IPF Conf
To: None <netbsd-help@netbsd.org>
From: Richard Ibbotson <richard@sheflug.co.uk>
List: netbsd-help
Date: 07/10/2003 20:33:59
Hi

Finally got round to IPF rules.  Can anyone help with this ?  Tried on
the NetBSD tech list and they said send it here.

In ipf.conf I've got some rules which are about 30 to 50 lines long.
Probably not configured properly but it's going in the right
direction.  I'm willing to admit that it's a mess.  Which is why I've
written in hoping that I can sort it out.

The rules look like this for a firewall box that is a dialup
connection.  ISDN card is ippp0 and the network card is ne2.



pass out quick on lo0
pass in quick on lo0
block in log all with frag
block in proto icmp all
block return-icmp (3) in proto udp from any to any port > 5000
block in log all with ipopts
block in log on ippp0 proto tcp from any to 192.168.1.0/24 flags S/SA
#Don't want ICMP
block return-rst in quick proto tcp from any to any port = 113 flags
S/SA
block out log  on ippp0 proto tcp from 192.168.1.0/24 to any flags
SA/SA
block in log quick on ippp0 proto tcp/udp from any to 192.168.1.0/24
port 5999 >< 6010
block in log quick on ippp0 proto tcp/udp from any to 192.168.1.0/24
port 22 >< 23
block in log quick on ippp0 proto tcp/udp from any to 192.168.1.0/24
port 513 >< 514
block in log on ippp0 from 0.0.0.0/7 to any
block in log on ippp0 from 1.0.0.0/8 to any
block in log on ippp0 from 2.0.0.0/8 to any
block in log on ippp0 from 5.0.0.0/8 to any
# there's a whole load of stuff in here.  I've
# cut it so that I don't fill up anyone's
# mailbox
block in log on ippp0 from 217.0.0.0/8 to any
block in log on ippp0 from 218.0.0.0/8 to any
block in log on ippp0 from 219.0.0.0/8 to any
pass in quick on ippp0 proto icmp from any to 192.168.1.0/24 icmp-type
0
pass in quick on ippp0 proto icmp from any to 192.168.1.0/24 icmp-type
11
block in log quick on ippp0 proto icmp from any to any
pass in all



Then I'd like to put in some rules to block out.  There are times when
I find that I need this.  Would be good to know how to do it properly.


#block out quick log on ippp0 from 192.168.1.0/24 to any
#block out quick log on ippp0 from 192.168.1.0/24 to 0.0.0.0/7
#block out quick log on ippp0 from 192.168.1.0/24 to 2.0.0.0/8


The part that has really caused a lot of problems for me is the pass
out line at the bottom.  Is it...

pass out all

Or, does it need to be something else ?

Thanks




Richard