Re: help with IP filter rules

---

• From: John Doe <john.doe@xxxxxxxxxx>
• Date: Tue, 28 Nov 2006 00:41:14 +0000

---

bill3 wrote:

Hello everyone.
I activated successfully IP filter in Solaris 10 with the following
rules:

block in all
pass in quick proto tcp from any to any port=22
pass in quick proto tcp from any to any port=25
pass in quick proto tcp from any to any port=80
pass in quick proto tcp from any to any port=587

Namely I want only the ssh, http and smtp services to be active. But
after activating the firewall I can't connect to the internet. When I
deactivate it there's no problem.

What's wrong with this rules? I thought they are correct :-(

Probably need some outgoing rules otherwise you are not going anywhere, substitute bge0 for whatever you are using.

John.


# ----------------------------------------------------------------------------
# Outgoing - Allow any outbound traffic from this computer (and the response)
# ----------------------------------------------------------------------------
pass out quick on bge0 all keep state
#
# ----------------------------------------------------------------------------
# Allow loopback traffic
# ----------------------------------------------------------------------------
pass in quick on lo0 all
pass out quick on lo0 all
#----------------------------------------------------------------------------
# block from non-routable addresses
# ----------------------------------------------------------------------------
block in quick from 10.0.0.0/8
block in quick from 172.16.0.0/12



# Whatever else you need - you can add here ...




#
# ----------------------------------------------------------------------------
# Block everything else
# ----------------------------------------------------------------------------
block in log on bge0 all

.

---

• References:
  • help with IP filter rules
    • From: bill3

• Prev by Date: Solaris 10 snmp subagent ?
• Next by Date: Re: Determining the UNIX flavour and version from netboot filesets
• Previous by thread: Re: help with IP filter rules
• Next by thread: Solaris 10 snmp subagent ?
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: ipf stopped working on 5.3 ... # 100 incoming bge0 ... pass in log quick proto tcp from any to any port = 443 flags S/SA keep state ... (FreeBSD-Security) Re: IPF Rule problem ... Your block in rule broke it. ... # in rare cases do we change these rules ... pass out quick on lo0 ... > pass out quick proto tcp from any to any keep state ... (FreeBSD-Security)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(13)