Basic Question Re IPF rule orders
-
Hello
I used to use a dubbele firewall that really rocked because of ipf. It was so intuative and easy to get going not to mention that it ran circles around iptables shudder. I think I may have noobily forgotten something though.
Say im going to block a particular IP or range. What I have been doing is adding it into wan rules starting at the top of the list of rules (webconfigurator). I also set many of them to LOG. Now when i go onto the console and look at PFTOP pkts under "pfTop: Up Rule 1-59/85, View: rules,", I dont see any pkts being processed by those rules.
I know some hinet zombie was just hacking my ftp, but doing this and applying changes, does not seem to block them. Is that becuase i need to refresh states? Should it be reflected on that page when they get blocked? It looks to me there might be a few "pass in all" before my rules start to get applied. Is that the case? They dont have interfaces though. I used to use the command "ipf -F a && ipf -f /etc/ipf.conf" but I had assumed that was built in somehow when you hit the apply rules button thing. Anyways heres a sample of the beginning of my ruleset from PfTop.
RULE ACTION DIR LOG Q IF PR K PKTS BYTES STATES MAX INFO 0 Pass In 0 0 0 all 1 Pass In 0 0 0 all 2 Block In Q 0 0 0 drop from <snort2c>to any 3 Block In Q 0 0 0 drop from any to <snort2c>4 Pass In 0 0 0 all 5 Pass In Q lo0 0 0 0 all 6 Pass Out Q lo0 0 0 0 all 7 Pass In 0 0 0 all 8 Pass In 0 0 0 all 9 Pass In 0 0 0 all 10 Pass In Q xl0 udp 0 0 0 inet from any port = bootpc to 255.255.255.255/32 port = bo 11 Pass In Q xl0 udp 0 0 0 inet from any port = bootpc to 192.168.1.250/32 port = boot 12 Pass Out Q xl0 udp 0 0 0 inet from 192.168.1.250/32 port = bootps to any port = boot 13 Pass In 0 0 0 all 14 Pass Out Q xl1 udp 0 0 0 from any port = bootpc to any port = bootps 15 Block In Log Q xl1 udp 0 0 0 drop inet from any port = bootps to 192.168.1.0/24 port = b 16 Pass In Q xl1 udp 83 27388 0 from any port = bootps to any port = bootpc 17 Block In !xl0 0 0 0 drop inet from 192.168.1.0/24 to any 18 Block In xl0 0 0 0 drop inet6 from fe80::2a0:24ff:fed3:900e/128 to any 19 Block In 0 0 0 drop inet from 192.168.1.250/32 to any 20 Pass In 0 0 0 all 21 Block In Log Q xl1 0 0 0 drop inet from 10.0.0.0/8 to any 22 Block In Log Q xl1 0 0 0 drop inet from 127.0.0.0/8 to any 23 Block In Log Q xl1 0 0 0 drop inet from 172.16.0.0/12 to any 24 Block In Log Q xl1 0 0 0 drop inet from 192.168.0.0/16 to any 25 Pass In 0 0 0 all 26 Block In Q 0 0 0 drop from <virusprot>to any 27 Pass In 0 0 0 all 28 Block In Log Q xl1 1 514 0 drop from <bogons>to any 29 Pass Out Q xl1 K 1559 591940 4 all 30 Pass In 0 0 0 all 31 Pass Out Q xl1 K 0 0 0 all 32 Pass Out Q xl0 K 117294 57737094 179 all 33 Pass In 0 0 0 all 34 Pass In Q K 3024 1807098 0 inet from 192.168.1.0/24 to 192.168.1.250/32 35 Block In Log tcp 0 0 0 drop from <sshlockout>to any port = ssh 36 Pass In 0 0 0 all 37 Pass In 0 0 0 all 38 Block In Log Q xl1 tcp 0 0 0 drop inet from 64.182.13.0/28 to any 39 Block In Log Q xl1 udp 0 0 0 drop inet from 64.182.13.0/28 to any 40 Block In Log Q xl1 tcp 0 0 0 drop inet from 207.32.241.0/28 to any 41 Block In Log Q xl1 udp 0 0 0 drop inet from 207.32.241.0/28 to any 42 Block In Log Q xl1 tcp 0 0 0 drop inet from 24.12.177.0/28 to any 43 Block In Log Q xl1 udp 0 0 0 drop inet from 24.12.177.0/28 to any 44 Block In Q xl1 tcp 0 0 0 drop inet from 218.55.89.0/28 to any 45 Block In Q xl1 udp 0 0 0 drop inet from 218.55.89.0/28 to any 46 Block In Q xl1 tcp 0 0 0 drop inet from 218.55.89.0/28 to any</sshlockout></bogons></virusprot></snort2c></snort2c>Now what i remember from ye olde IPF howto is that you dont do a pass in all till the very end. Except for things like lo0. This is the default config though, which is why I am confused. (my ipf howto is dated Sat Mar 10 14:08:51 EST 2001)
I have also noticed that the SSH session seems to expire if i leave pftop open for more a large number of hours (say 12-24). Any idea about that? I used to just have a small monitor next to me that did the same thing as pftop but it was more oldschool. Id kinda like to do that again but with ssh. I figured it was just overloading from the torrent traffic and kicking me (state table is usually around 6k).
Any help appreciated.
-
We use PF. Not IPF.
-
Id imagine its similar.
-