Can't access rsh listen on lo0

Max Laier max at love2party.net
Sat Sep 25 09:58:26 PDT 2004 

On Saturday 25 September 2004 06:08, AndygreenNet at netscape.net wrote:
> Hello freebsd-pf,
>
> Help me please.
>
> I have:
> FreeBSD 5_2_1
> pf-freebsd-2.03

First of all ... to *everybody*: If you want a production use box with pf - 
please move to a 5.3-BETA installation and get pf out of the box. If you are 
worried with stability set debug.mpsafenet=0 (PREEMPTION and ULE are off by 
default). You won't regret it!

> I'm tried to access rsh listen on lo0.
> Connection interrupts with messages:
>   rsh: Connection timeout;
>   or
>   rsh: Connection reset by peer.

That is a fairly complicated ruleset you have there, I have some troubles 
reading it. But you might want to try the following:

> My pf.conf.
>
> # Macros: define common values, so they can be referenced and changed
> easily. ext_if="{ vlan1, fxp2 }"        # replace with actual external
> interface name i.e., dc0
> int_if="fxp0"           # replace with actual internal interface name i.e.,
> dc1 ext_bridge_if="{ vlan0, vlan2, vlan3 }"

unfiltered="{ lo0 }"

> int_bridge_if="{ xl0, vlan4, vlan5 }"
> internal_net_TTK="62.33.196.128/25"
> internal_net_RT_COMM="213.59.235.120/29"
> external_addr_TTK="62.33.196.254"
> external_addr_RT_COMM="213.59.128.130"
> restricted_ports="{ 135, 136, 137, 138, 139, 445 }"
> allow_tcp_ports="{ ftp, ftp-data, ssh, smtp, domain, http, pop3, ntp, imap,
> https, snpp, > 1023}"
> allow_udp_ports="{ domain, > 1023}"
> ARP_in="inet proto { tcp, udp } from any port uarps to any port > 1023"
> ARP_out="inet proto { tcp, udp } from any port > 1023 to any port uarps"
>
> # Options: tune the behavior of pf, default values are given.
> set timeout { interval 10, frag 30 }
> set timeout { tcp.first 120, tcp.opening 30, tcp.established 86400 }
> set timeout { tcp.closing 900, tcp.finwait 45, tcp.closed 90 }
> set timeout { udp.first 60, udp.single 30, udp.multiple 60 }
> set timeout { icmp.first 20, icmp.error 10 }
> set timeout { other.first 60, other.single 30, other.multiple 60 }
> set timeout { adaptive.start 0, adaptive.end 0 }
> set limit { states 10000, frags 5000 }
> set loginterface none
> set optimization normal
> set block-policy drop
> set require-order yes
> set fingerprints "/usr/local/etc/pf.os"
>
> # Normalization: reassemble fragments and resolve or reduce traffic
> ambiguities. scrub in all
>
> # spamd-setup puts addresses to be redirected into table <spamd>.
> table <spamd> persist
> no rdr on lo0 from any to any
> rdr inet proto tcp from <spamd> to any port smtp -> 127.0.0.1 port 8025
>

#Allow loopback and friends
pass quick on $unfiltered

> # Filtering: external interfaces
> block in log quick on $ext_if inet proto { tcp, udp } from any to any port
> $restricted_ports
> pass in on $ext_if inet proto icmp from any to any icmp-type { 0, 8 }
> pass in quick on $ext_if inet proto tcp from any to any port
> $allow_tcp_ports pass in quick on $ext_if inet proto udp from any port
> $allow_udp_ports to any port $allow_udp_ports
> pass out on $ext_if inet proto icmp from any to any icmp-type { 0, 8 }
> pass out quick on $ext_if inet proto tcp from any port $allow_tcp_ports to
> any pass out quick on $ext_if inet proto udp from any port $allow_udp_ports
> to any port $allow_udp_ports
>
> # Filtering: external bridge interfaces
> block in log quick on $ext_bridge_if inet proto { tcp, udp } from any to
> any port $restricted_ports
> pass in quick on $ext_bridge_if $ARP_in
> pass in on $ext_bridge_if inet proto icmp from any to any icmp-type { 0, 8
> } pass in quick on $ext_bridge_if inet proto { tcp, udp } from any to any
> pass out quick on $ext_bridge_if $ARP_out
> pass out on $ext_bridge_if inet proto icmp from any to any icmp-type { 0, 8
> } pass out quick on $ext_bridge_if inet proto { tcp, udp }  from any to any
>
> # Filtering internal interfaces with keep state, logging blocked packets.
> block in log on $int_if all
> pass in quick on $int_if $ARP_out keep state
> pass in quick on $int_if inet proto icmp all icmp-type { 0, 8 } keep state
> pass in quick on $int_if inet proto tcp from { $internal_net_TTK,
> $internal_net_RT_COMM } port $allow_tcp_ports to any keep st
> ate
> pass in quick on $int_if inet proto udp from { $internal_net_TTK,
> $internal_net_RT_COMM } port $allow_udp_ports to any port $a
> llow_udp_ports keep state
>
> # Filtering internal bridge interfaces with keep state, logging blocked
> packets. block in log on $int_bridge_if all
> pass in quick on $int_bridge_if $ARP_out keep state
> pass in quick on $int_bridge_if inet proto icmp all icmp-type { 0, 8 } keep
> state pass in quick on $int_bridge_if inet proto { tcp, udp } from any to
> any keep state
>
> Where I was mistaken.

Not sure ... $pfctl -vsr and pflog0 may tell you.

-- 
/"\  Best regards,                      | mlaier at freebsd.org
\ /  Max Laier                          | ICQ #67774661
 X   http://pf4freebsd.love2party.net/  | mlaier at EFnet
/ \  ASCII Ribbon Campaign              | Against HTML Mail and News
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-pf/attachments/20040925/762f45ca/attachment.bin

More information about the freebsd-pf mailing list