OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Dries Schellekens (gwyllionace.ulyssis.org)
Date: Tue Jun 04 2002 - 03:50:23 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    On Tue, 4 Jun 2002, Giacomo Marconi wrote:

    > Hi I've a box with OpenBSD 3.1 that do almost everything.
    > "pftclt -s rules" shows me:
    >
    > [Tue Jun 4 11:32:16] rootbelva # pfctl -s rules
    > 0 scrub in on dc1 all
    > 1 block in on dc1 all
    > 2 block in quick on dc1 inet from 255.255.255.255/32 to any
    > 3 block in quick on dc1 inet from 192.168.0.0/16 to any
    > 4 block in quick on dc1 inet from 172.16.0.0/12 to any
    > 5 block in quick on dc1 inet from 10.0.0.0/8 to any
    > 6 pass in quick on dc1 inet proto tcp from any to ...194/32 port = ftp
    > 7 pass in quick on dc1 inet proto tcp from any to ...194/32 port = ssh
    > flags S/SA keep state
    > 8 pass in quick on dc1 inet proto udp from any to ...194/32 port = domain
    > 9 pass in quick on dc1 inet proto tcp from any to ...194/32 port = www
    > 10 pass in quick on dc1 inet proto tcp from any to ...194/32 port = pop3
    > keep state
    > 11 pass in quick on dc1 inet proto tcp from any to ...194/32 port = https
    > keep state
    > 12 pass in quick on dc1 inet proto icmp all icmp-type echoreq code 0 keep
    > state
    > 13 pass out quick on dc1 inet proto tcp all keep state
    > 14 pass out quick on dc1 inet proto udp all keep state
    > 15 pass out quick on dc1 inet proto icmp all keep state
    > 16 pass in quick on dc0 all
    > 17 pass out quick on dc0 all
    > 18 block in on sis0 all
    > 19 block out on sis0 all
    > 20 pass out on sis0 inet proto tcp all keep state
    > [Tue Jun 4 11:34:38] rootbelva #

    Either you always use quick or you don't use quick at all. I find this
    hard to read :-)

    > But from the outside I can't reach the web, the ftp and DNS.
    > In fact a nmap from the outside show me only port 22,110 and 443 are open,
    > while a lynx localhost and a ftp localhost works perfectly.
    > I've tryed to add "flags S/SA keep state" to the guilty ports but without
    > results.
    > Where I am in wrong ?

    Perhaps you can try Daniel's simple debugging recipe:
    http://marc.theaimsgroup.com/?l=openbsd-misc&m=100802678727776&w=2

    Greeting,

    Dries 

    -- 
Dries Schellekens
email: gwyllionulyssis.org