From owner-freebsd-questions@FreeBSD.ORG Tue Feb 28 03:45:16 2006 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0F75916A420 for ; Tue, 28 Feb 2006 03:45:16 +0000 (GMT) (envelope-from mefystofel@gmail.com) Received: from wproxy.gmail.com (wproxy.gmail.com [64.233.184.193]) by mx1.FreeBSD.org (Postfix) with ESMTP id D9ABE43D4C for ; Tue, 28 Feb 2006 03:45:14 +0000 (GMT) (envelope-from mefystofel@gmail.com) Received: by wproxy.gmail.com with SMTP id i24so1003751wra for ; Mon, 27 Feb 2006 19:45:14 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=Y5eIb1ocnld+t9IVPRpcZ2SP6lC6Qpbxe0jdpOTKy4oDlKSOGxGhna1q7KG/dIEQK8hAqwTNEE6UbdvrVLnylDWG8BvabfhxOWmnj+Dr8yFcPIncqvgpQuY6R7Zy8R+umXeabMidPVM2rPdwPl9QFC6xwjkBC4B1VM9sGTuL0F8= Received: by 10.54.115.6 with SMTP id n6mr210126wrc; Mon, 27 Feb 2006 19:45:13 -0800 (PST) Received: by 10.54.93.14 with HTTP; Mon, 27 Feb 2006 19:45:13 -0800 (PST) Message-ID: Date: Tue, 28 Feb 2006 08:45:13 +0500 From: "Roman Serbski" To: freebsd-questions@freebsd.org In-Reply-To: <44031DC4.6060804@locolomo.org> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline References: <4402232A.8010908@locolomo.org> <44031DC4.6060804@locolomo.org> Subject: Re: Help with IP Filter 4.1.8 X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 28 Feb 2006 03:45:16 -0000 On 2/27/06, Erik Norgaard wrote: > read this line: This tells you where the packet is blocked. IIRC @0:2 > means group 0 (you don't use groups) and 2 should be the second rule. > > If you list the ruleset with ipfstat -n that should give you rules with > the same labeling. > > Also, add log keyword to your outgoing rule, to see that it is actually > there the decision is made. You could have some default pass that does > not create the state. > > I know that you've checked and rechecked - but it is really helpful for > us to have the whole ruleset. If you like, change your ip's to x.x.x.x > (but keep different ips different). Hello Erik, My ruleset consists of only 6 rules: pass out quick on lo0 from any to any pass out quick on xl0 proto tcp from any to any port =3D domain flags S/FSRPAU keep state pass out quick on xl0 proto udp from any to any port =3D domain keep state block out log quick on xl0 all pass in quick on lo0 from any to any block in quick on xl0 all The rule # 2 which was blocking reply from DNS server is 'block in quick on xl0 all'. Adding 'log' keyword to the rule allowing outgoing 53/udp gives the followi= ng: xl0 @0:3 p YYY.YYY.YYY.YYY,50359 -> XXX.XXX.XXX.XXX,53 PR udp len 20 57 K-S= OUT So outgoing 53/udp was successfully passed through, but incoming reply was blocked again: xl0 @0:2 b XXX.XXX.XXX.XXX,53 -> YYY.YYY.YYY.YYY,50359 PR udp len 20 298 IN= bad Yes, I also tried another DNS server - same results. I think this is more ipf issue, so I'll try to ask for assistance in ipf maling list, I was just thinking if someone else has faced with the similar problem during upgrade from ipf v3.4.35 to v4.1.8. Thank you.