From owner-freebsd-questions@FreeBSD.ORG Wed Mar 29 12:07:24 2006 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7D70016A422 for ; Wed, 29 Mar 2006 12:07:24 +0000 (UTC) (envelope-from bernt@bah.homeip.net) Received: from amsfep20-int.chello.nl (amsfep17-int.chello.nl [213.46.243.15]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5C8B743D5D for ; Wed, 29 Mar 2006 12:07:22 +0000 (GMT) (envelope-from bernt@bah.homeip.net) Received: from [213.200.137.21] by amsfep20-int.chello.nl (InterMail vM.6.01.04.04 201-2131-118-104-20050224) with ESMTP id <20060329120720.YAAI23728.amsfep20-int.chello.nl@[213.200.137.21]> for ; Wed, 29 Mar 2006 14:07:20 +0200 Message-ID: <442A7849.3060201@bah.homeip.net> Date: Wed, 29 Mar 2006 14:06:33 +0200 From: B H User-Agent: Mozilla/5.0 (X11; U; FreeBSD-4.10-RELEASE; sv-SE) X-Accept-Language: sv, en-us, en MIME-Version: 1.0 To: "freebsd-questions@FreeBSD. ORG" References: <442A4E14.6090204@bah.homeip.net> <442A5D8A.1020708@locolomo.org> In-Reply-To: <442A5D8A.1020708@locolomo.org> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: IP Filter problems on 4.11-STABLE X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 29 Mar 2006 12:07:24 -0000 Erik Norgaard skrev: > B H wrote: > >> Now IPFilter does not work or is VERY slow, ssh, web and mail timesout. >> >> NAT is working like it should. >> >> # dmesg | grep 'IP Filter' >> IP Filter: v3.4.35 initialized. Default = pass all, Logging = enabled >> >> ipf.rules looks like this: >> >> # Let clients behind the firewall send out to the internet, and >> replies to >> # come back in by keeping state. >> pass out quick on fxp0 proto tcp all keep state >> pass out quick on fxp0 proto udp all keep state >> pass out quick on fxp0 proto icmp all keep state >> >> # Since nothing should be coming from these address ranges, block them >> block in log quick on fxp0 from 82.182.0.0/16 to any >> block in quick on fxp0 from 192.168.0.0/16 to any >> block in quick on fxp0 from 172.16.0.0/12 to any >> block in quick on fxp0 from 10.0.0.0/8 to any >> block in quick on fxp0 from 127.0.0.0/8 to any >> block in quick on fxp0 from 192.0.2.0/24 to any >> block in log quick on fxp0 from any to 10.0.0.0/32 >> block in log quick on fxp0 from any to 10.0.0.255/32 > > > 1st: the last two rules have no effect at all, packets are caught in the > 4th in-rule. Yes, I see that now. > You have nat? Yes, and it's working. > are you routing traffic? Yes. > what is your network config (ifconfig)? # ifconfig rl0: flags=8843 mtu 1500 inet 10.0.0.1 netmask 0xff000000 broadcast 10.255.255.255 inet6 fe80::210:a7ff:fe0e:2ad9%rl0 prefixlen 64 scopeid 0x1 ether 00:10:a7:0e:2a:d9 media: Ethernet autoselect (100baseTX ) status: active fxp0: flags=8843 mtu 1500 inet 1.2.3.4 netmask 0xffffff00 broadcast 1.2.3.255 inet6 fe80::230:6eff:fe06:6990%fxp0 prefixlen 64 scopeid 0x2 ether 00:30:6e:06:69:90 media: Ethernet autoselect (100baseTX ) status: active lp0: flags=8810 mtu 1500 lo0: flags=8049 mtu 16384 inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x4 inet 127.0.0.1 netmask 0xff000000 ppp0: flags=8010 mtu 1500 sl0: flags=c010 mtu 552 faith0: flags=8002 mtu 1500 > from where to where are you trying to connect, From the outside and in. > Have you tried to sniff on the interface to see what traffic is > coming in and going out? No. > ipfilter not working is good (I mean it is easier to track down), > ipfilter being slow is really difficult to debug. > > Erik BH