Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Basic Question Re IPF rule orders

    Firewalling
    2
    4
    1942
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • I
      ipfftw last edited by

      Hello

      I used to use a dubbele firewall that really rocked because of ipf. It was so intuative and easy to get going not to mention that it ran circles around iptables shudder. I think I may have noobily forgotten something though.

      Say im going to block a particular IP or range. What I have been doing is adding it into wan rules starting at the top of the list of rules (webconfigurator). I also set many of them to LOG. Now when i go onto the console and look at PFTOP pkts under "pfTop: Up Rule 1-59/85, View: rules,", I dont see any pkts being processed by those rules.

      I know some hinet zombie was just hacking my ftp, but doing this and applying changes, does not seem to block them. Is that becuase i need to refresh states? Should it be reflected on that page when they get blocked? It looks to me there might be a few "pass in all" before my rules start to get applied. Is that the case? They dont have interfaces though. I used to use the command "ipf -F a && ipf -f /etc/ipf.conf" but I had assumed that was built in somehow when you hit the apply rules button thing. Anyways heres a sample of the beginning of my ruleset from PfTop.

      RULE ACTION   DIR LOG Q IF     PR        K     PKTS    BYTES   STATES   MAX INFO
         0 Pass     In                                  0        0        0       all
         1 Pass     In                                  0        0        0       all
         2 Block    In      Q                           0        0        0       drop from <snort2c>to any
         3 Block    In      Q                           0        0        0       drop from any to <snort2c>4 Pass     In                                  0        0        0       all
         5 Pass     In      Q lo0                       0        0        0       all
         6 Pass     Out     Q lo0                       0        0        0       all
         7 Pass     In                                  0        0        0       all
         8 Pass     In                                  0        0        0       all
         9 Pass     In                                  0        0        0       all
        10 Pass     In      Q xl0    udp                0        0        0       inet from any port = bootpc to 255.255.255.255/32 port = bo
        11 Pass     In      Q xl0    udp                0        0        0       inet from any port = bootpc to 192.168.1.250/32 port = boot
        12 Pass     Out     Q xl0    udp                0        0        0       inet from 192.168.1.250/32 port = bootps to any port = boot
        13 Pass     In                                  0        0        0       all
        14 Pass     Out     Q xl1    udp                0        0        0       from any port = bootpc to any port = bootps
        15 Block    In  Log Q xl1    udp                0        0        0       drop inet from any port = bootps to 192.168.1.0/24 port = b
        16 Pass     In      Q xl1    udp               83    27388        0       from any port = bootps to any port = bootpc
        17 Block    In        !xl0                      0        0        0       drop inet from 192.168.1.0/24 to any
        18 Block    In        xl0                       0        0        0       drop inet6 from fe80::2a0:24ff:fed3:900e/128 to any
        19 Block    In                                  0        0        0       drop inet from 192.168.1.250/32 to any
        20 Pass     In                                  0        0        0       all
        21 Block    In  Log Q xl1                       0        0        0       drop inet from 10.0.0.0/8 to any
        22 Block    In  Log Q xl1                       0        0        0       drop inet from 127.0.0.0/8 to any
        23 Block    In  Log Q xl1                       0        0        0       drop inet from 172.16.0.0/12 to any
        24 Block    In  Log Q xl1                       0        0        0       drop inet from 192.168.0.0/16 to any
        25 Pass     In                                  0        0        0       all
        26 Block    In      Q                           0        0        0       drop from <virusprot>to any
        27 Pass     In                                  0        0        0       all
        28 Block    In  Log Q xl1                       1      514        0       drop from <bogons>to any
        29 Pass     Out     Q xl1              K     1559   591940        4       all
        30 Pass     In                                  0        0        0       all
        31 Pass     Out     Q xl1              K        0        0        0       all
        32 Pass     Out     Q xl0              K   117294 57737094      179       all
        33 Pass     In                                  0        0        0       all
        34 Pass     In      Q                  K     3024  1807098        0       inet from 192.168.1.0/24 to 192.168.1.250/32
        35 Block    In  Log          tcp                0        0        0       drop from <sshlockout>to any port = ssh
        36 Pass     In                                  0        0        0       all
        37 Pass     In                                  0        0        0       all
        38 Block    In  Log Q xl1    tcp                0        0        0       drop inet from 64.182.13.0/28 to any
        39 Block    In  Log Q xl1    udp                0        0        0       drop inet from 64.182.13.0/28 to any
        40 Block    In  Log Q xl1    tcp                0        0        0       drop inet from 207.32.241.0/28 to any
        41 Block    In  Log Q xl1    udp                0        0        0       drop inet from 207.32.241.0/28 to any
        42 Block    In  Log Q xl1    tcp                0        0        0       drop inet from 24.12.177.0/28 to any
        43 Block    In  Log Q xl1    udp                0        0        0       drop inet from 24.12.177.0/28 to any
        44 Block    In      Q xl1    tcp                0        0        0       drop inet from 218.55.89.0/28 to any
        45 Block    In      Q xl1    udp                0        0        0       drop inet from 218.55.89.0/28 to any
        46 Block    In      Q xl1    tcp                0        0        0       drop inet from 218.55.89.0/28 to any</sshlockout></bogons></virusprot></snort2c></snort2c> 
      

      Now what i remember from ye olde IPF howto is that you dont do a pass in all till the very end. Except for things like lo0. This is the default config though, which is why I am confused. (my ipf howto is dated Sat Mar 10 14:08:51 EST 2001)

      I have also noticed that the SSH session seems to expire if i leave pftop open for more a large number of hours (say 12-24). Any idea about that? I used to just have a small monitor next to me that did the same thing as pftop but it was more oldschool. Id kinda like to do that again but with ssh. I figured it was just overloading from the torrent traffic and kicking me (state table is usually around 6k).

      Any help appreciated.

      1 Reply Last reply Reply Quote 0
      • S
        sullrich last edited by

        We use PF.  Not IPF.

        1 Reply Last reply Reply Quote 0
        • I
          ipfftw last edited by

          Id imagine its similar.

          1 Reply Last reply Reply Quote 0
          • S
            sullrich last edited by

            @ipfftw:

            Id imagine its similar.

            No, not in the case of what your asking for, sorry.

            1 Reply Last reply Reply Quote 0
            • First post
              Last post

            Products

            • Platform Overview
            • TNSR
            • pfSense
            • Appliances

            Services

            • Training
            • Professional Services

            Support

            • Subscription Plans
            • Contact Support
            • Product Lifecycle
            • Documentation

            News

            • Media Coverage
            • Press
            • Events

            Resources

            • Blog
            • FAQ
            • Find a Partner
            • Resource Library
            • Security Information

            Company

            • About Us
            • Careers
            • Partners
            • Contact Us
            • Legal
            Our Mission

            We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

            Subscribe to our Newsletter

            Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

            © 2021 Rubicon Communications, LLC | Privacy Policy