Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 29 Mar 2006 08:29:37 -0500
From:      "fbsd_user" <fbsd_user@a1poweruser.com>
To:        "B H" <bernt@bah.homeip.net>, "freebsd-questions@FreeBSD. ORG" <freebsd-questions@freebsd.org>
Subject:   RE: IP Filter problems on 4.11-STABLE
Message-ID:  <MIEPLLIBMLEEABPDBIEGEEHNHDAA.fbsd_user@a1poweruser.com>
In-Reply-To: <442A4E14.6090204@bah.homeip.net>
next in thread | previous in thread | raw e-mail | index | archive | help 
Your firewall rules are pretty much useless.
Your default is to pass everything that does not match a rule.
So other than those block rules everything is allowed out and in.

This means your slowness problem has nothing to do with your
firewall.
Read the handbook for ipfilter sample rule set if you want
a meaningful firewall.

-----Original Message-----
From: owner-freebsd-questions@freebsd.org
[mailto:owner-freebsd-questions@freebsd.org]On Behalf Of B H
Sent: Wednesday, March 29, 2006 4:06 AM
To: freebsd-questions@FreeBSD. ORG
Subject: IP Filter problems on 4.11-STABLE


Hello!


I've upgrade a machine about a week ago from 4.10-p19 i belive it
was.

Now IPFilter does not work or is VERY slow, ssh, web and mail
timesout.

NAT is working like it should.

# dmesg | grep 'IP Filter'
IP Filter: v3.4.35 initialized.  Default = pass all, Logging =
enabled

ipf.rules looks like this:

# Let clients behind the firewall send out to the internet, and
replies to
# come back in by keeping state.
pass out quick on fxp0 proto tcp all keep state
pass out quick on fxp0 proto udp all keep state
pass out quick on fxp0 proto icmp all keep state

# Since nothing should be coming from these address ranges, block
them
block in log quick on fxp0 from 82.182.0.0/16 to any
block in quick on fxp0 from 192.168.0.0/16 to any
block in quick on fxp0 from 172.16.0.0/12 to any
block in quick on fxp0 from 10.0.0.0/8 to any
block in quick on fxp0 from 127.0.0.0/8 to any
block in quick on fxp0 from 192.0.2.0/24 to any
block in log quick on fxp0 from any to 10.0.0.0/32
block in log quick on fxp0 from any to 10.0.0.255/32

_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to
"freebsd-questions-unsubscribe@freebsd.org"

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?MIEPLLIBMLEEABPDBIEGEEHNHDAA.fbsd_user>