Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Basic Question Re IPF rule orders

    Firewalling
    2
    4
    1965
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • I
      ipfftw
      last edited by

      Hello

      I used to use a dubbele firewall that really rocked because of ipf. It was so intuative and easy to get going not to mention that it ran circles around iptables shudder. I think I may have noobily forgotten something though.

      Say im going to block a particular IP or range. What I have been doing is adding it into wan rules starting at the top of the list of rules (webconfigurator). I also set many of them to LOG. Now when i go onto the console and look at PFTOP pkts under "pfTop: Up Rule 1-59/85, View: rules,", I dont see any pkts being processed by those rules.

      I know some hinet zombie was just hacking my ftp, but doing this and applying changes, does not seem to block them. Is that becuase i need to refresh states? Should it be reflected on that page when they get blocked? It looks to me there might be a few "pass in all" before my rules start to get applied. Is that the case? They dont have interfaces though. I used to use the command "ipf -F a && ipf -f /etc/ipf.conf" but I had assumed that was built in somehow when you hit the apply rules button thing. Anyways heres a sample of the beginning of my ruleset from PfTop.

      RULE ACTION   DIR LOG Q IF     PR        K     PKTS    BYTES   STATES   MAX INFO
         0 Pass     In                                  0        0        0       all
         1 Pass     In                                  0        0        0       all
         2 Block    In      Q                           0        0        0       drop from <snort2c>to any
         3 Block    In      Q                           0        0        0       drop from any to <snort2c>4 Pass     In                                  0        0        0       all
         5 Pass     In      Q lo0                       0        0        0       all
         6 Pass     Out     Q lo0                       0        0        0       all
         7 Pass     In                                  0        0        0       all
         8 Pass     In                                  0        0        0       all
         9 Pass     In                                  0        0        0       all
        10 Pass     In      Q xl0    udp                0        0        0       inet from any port = bootpc to 255.255.255.255/32 port = bo
        11 Pass     In      Q xl0    udp                0        0        0       inet from any port = bootpc to 192.168.1.250/32 port = boot
        12 Pass     Out     Q xl0    udp                0        0        0       inet from 192.168.1.250/32 port = bootps to any port = boot
        13 Pass     In                                  0        0        0       all
        14 Pass     Out     Q xl1    udp                0        0        0       from any port = bootpc to any port = bootps
        15 Block    In  Log Q xl1    udp                0        0        0       drop inet from any port = bootps to 192.168.1.0/24 port = b
        16 Pass     In      Q xl1    udp               83    27388        0       from any port = bootps to any port = bootpc
        17 Block    In        !xl0                      0        0        0       drop inet from 192.168.1.0/24 to any
        18 Block    In        xl0                       0        0        0       drop inet6 from fe80::2a0:24ff:fed3:900e/128 to any
        19 Block    In                                  0        0        0       drop inet from 192.168.1.250/32 to any
        20 Pass     In                                  0        0        0       all
        21 Block    In  Log Q xl1                       0        0        0       drop inet from 10.0.0.0/8 to any
        22 Block    In  Log Q xl1                       0        0        0       drop inet from 127.0.0.0/8 to any
        23 Block    In  Log Q xl1                       0        0        0       drop inet from 172.16.0.0/12 to any
        24 Block    In  Log Q xl1                       0        0        0       drop inet from 192.168.0.0/16 to any
        25 Pass     In                                  0        0        0       all
        26 Block    In      Q                           0        0        0       drop from <virusprot>to any
        27 Pass     In                                  0        0        0       all
        28 Block    In  Log Q xl1                       1      514        0       drop from <bogons>to any
        29 Pass     Out     Q xl1              K     1559   591940        4       all
        30 Pass     In                                  0        0        0       all
        31 Pass     Out     Q xl1              K        0        0        0       all
        32 Pass     Out     Q xl0              K   117294 57737094      179       all
        33 Pass     In                                  0        0        0       all
        34 Pass     In      Q                  K     3024  1807098        0       inet from 192.168.1.0/24 to 192.168.1.250/32
        35 Block    In  Log          tcp                0        0        0       drop from <sshlockout>to any port = ssh
        36 Pass     In                                  0        0        0       all
        37 Pass     In                                  0        0        0       all
        38 Block    In  Log Q xl1    tcp                0        0        0       drop inet from 64.182.13.0/28 to any
        39 Block    In  Log Q xl1    udp                0        0        0       drop inet from 64.182.13.0/28 to any
        40 Block    In  Log Q xl1    tcp                0        0        0       drop inet from 207.32.241.0/28 to any
        41 Block    In  Log Q xl1    udp                0        0        0       drop inet from 207.32.241.0/28 to any
        42 Block    In  Log Q xl1    tcp                0        0        0       drop inet from 24.12.177.0/28 to any
        43 Block    In  Log Q xl1    udp                0        0        0       drop inet from 24.12.177.0/28 to any
        44 Block    In      Q xl1    tcp                0        0        0       drop inet from 218.55.89.0/28 to any
        45 Block    In      Q xl1    udp                0        0        0       drop inet from 218.55.89.0/28 to any
        46 Block    In      Q xl1    tcp                0        0        0       drop inet from 218.55.89.0/28 to any</sshlockout></bogons></virusprot></snort2c></snort2c> 
      

      Now what i remember from ye olde IPF howto is that you dont do a pass in all till the very end. Except for things like lo0. This is the default config though, which is why I am confused. (my ipf howto is dated Sat Mar 10 14:08:51 EST 2001)

      I have also noticed that the SSH session seems to expire if i leave pftop open for more a large number of hours (say 12-24). Any idea about that? I used to just have a small monitor next to me that did the same thing as pftop but it was more oldschool. Id kinda like to do that again but with ssh. I figured it was just overloading from the torrent traffic and kicking me (state table is usually around 6k).

      Any help appreciated.

      1 Reply Last reply Reply Quote 0
      • S
        sullrich
        last edited by

        We use PF.  Not IPF.

        1 Reply Last reply Reply Quote 0
        • I
          ipfftw
          last edited by

          Id imagine its similar.

          1 Reply Last reply Reply Quote 0
          • S
            sullrich
            last edited by

            @ipfftw:

            Id imagine its similar.

            No, not in the case of what your asking for, sorry.

            1 Reply Last reply Reply Quote 0
            • First post
              Last post