From owner-freebsd-questions Sun Sep 3 3:15:18 2000 Delivered-To: freebsd-questions@freebsd.org Received: from beta.root-servers.ch (beta.root-servers.ch [195.49.33.19]) by hub.freebsd.org (Postfix) with SMTP id A961C37B424 for ; Sun, 3 Sep 2000 03:15:14 -0700 (PDT) Received: (qmail 71375 invoked from network); 3 Sep 2000 10:15:12 -0000 Received: from client86-67.hispeed.ch (HELO 10.2.2.100) (62.2.86.67) by beta.root-servers.ch with SMTP; 3 Sep 2000 10:15:12 -0000 Date: Sun, 3 Sep 2000 12:17:05 +0200 From: Gabriel Ambuehl X-Mailer: The Bat! (v1.46 Beta/3) UNREG / CD5BF9353B3B7091 Organization: BUZ Internet Services X-Priority: 3 (Normal) Message-ID: <8688272028.20000903121705@buz.ch> To: questions@FreeBSD.org Subject: Strange behaviour of IPFilter... Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Hello I successfully got IPF and IPNat working for most services (prior to this, I used ipfw/natd). However, outgoing SMTP to *some* hosts is fucking slow (if I disable IPFilter, they work as they usually do), it seems to happen on the firewall as well as on the boxes behind it which use it as NAT gateway. The box is running FreeBSD 4.1-Stable as of Friday with IPFILTER and IPFILTER_LOG kernel options but without ipfw. I use the following IPFilter rules (rl1 is the public interface) whereas) pass out quick on rl1 proto udp from any to any keep state pass out quick on rl1 proto icmp from any to any keep state pass out quick on rl1 proto tcp from any to any keep state #block ICMP on outside interface but allow type 0, ping, and type 11, traceroute, in pass in log quick on rl1 proto icmp from any to any icmp-type 0 pass in log quick on rl1 proto icmp from any to any icmp-type 11 block in log quick on rl1 proto icmp from any to any #block non-routed nets on the outside interface as those have to be spoofed block in log quick on rl1 from 10.0.0.0/8 to any block in log quick on rl1 from 172.16.0.0/12 to any block in log quick on rl1 from 192.168.0.0/16 to any block in log quick on rl1 from 127.0.0.0/8 to any block out log quick on rl1 from 10.0.0.0/8 to any block out log quick on rl1 from 172.16.0.0/12 to any block out log quick on rl1 from 192.168.0.0/16 to any block out log quick on rl1 from 127.0.0.0/8 to any #block FUP packets used by nmap to do fingerprinting block in log quick on rl1 proto tcp from any to any flags FUP block in log on rl1 from any to any #Allow Standard HTTP pass in quick on rl1 from any to any port = 80 #Allow HTTPS pass in quick on rl1 from any to any port = 443 And the following ones for IPNAT: #General activation of NAT map rl1 10.0.0.0/8 -> 0/32 #Activation of FTP clients map rl1 0/0 -> 0/32 proxy port 21 ftp/tcp BTW: Why aren't there any IPFILTER options in rc.conf like there are for ipfw? If even OpenBSD trusts in IPFILTER... Best regards, Gabriel To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message