From owner-freebsd-questions@FreeBSD.ORG Thu Jun 8 14:35:03 2006 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 22C4616B9A9 for ; Thu, 8 Jun 2006 12:29:50 +0000 (UTC) (envelope-from nicv@korbitec.com) Received: from spool.korbitec.com (spool.korbitec.com [196.31.9.186]) by mx1.FreeBSD.org (Postfix) with ESMTP id E8AF543D4C for ; Thu, 8 Jun 2006 12:29:47 +0000 (GMT) (envelope-from nicv@korbitec.com) Received: from [10.4.2.7] (helo=Exchange.korbitec.int) by spool.korbitec.com with esmtp (Exim 4.60 (FreeBSD)) (envelope-from ) id 1FoJdy-000362-In for freebsd-questions@freebsd.org; Thu, 08 Jun 2006 14:29:46 +0200 X-MimeOLE: Produced By Microsoft Exchange V6.5 Content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Date: Thu, 8 Jun 2006 14:31:04 +0200 Message-ID: X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: Ipfilter 4.1.13 and freebsd 6.1 Thread-Index: AcaK7KvG9fjIezU1Tzy0NFSXgXaclQABo4Fw From: "Nicholas von Waltsleben" To: X-Spam-Score: -1.0 (-) X-SA-Exim-Connect-IP: 10.4.2.7 X-SA-Exim-Mail-From: nicv@korbitec.com X-SA-Exim-Scanned: No (on spool.korbitec.com); SAEximRunCond expanded to false Subject: RE: Ipfilter 4.1.13 and freebsd 6.1 X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 08 Jun 2006 14:35:04 -0000 >=20 >> Nicholas wrote: >>=20 >> I am currently running a couple of 6.1 and 5.4 servers as firewall / >> routers for my company. I am experiencing some problems on the 6.1 >> server with ipfilter where it blocks oow (out of window) packets. I >> have tried to update to the latest version of ipfilter but was >> unable to >> compile my kernel after running the kupgrade script in the ipf >> source >> folder. Does anyone have any hacks / patches that they have used to >> get >> ipfilter version 4.1.13 running on FreeBSD 6.1-Release? >> >> Regards, >> Nicholas > > Fbsd wrote: > >=20 > I run 6.1 with ipfilter and LAN full of window boxes NO PROBLEM. >=20 > You need to provide a much greater level of details before making > such unfounded statements as ipfilter is broken. I never said that ipfilter was in any way broken, just that I was experiencing problems running it since moving to a 6.1 server. My apologies for not making myself clearer. > Your rule set is most likely incorrect. >=20 > Post description of your firewall/LAN setup along with your complete > rule set for review by list. Very well, here is some more information but I am not about to post my entire ruleset on a publicly searchable mailing list Extract from ipfstat -ni @2 block in quick on em0 all head 1 ... @9 pass in quick on em0 proto tcp from 196.31.10.14/32 to any port =3D http flags S/FSRPAU keep state group 1=20 ... @19 block in log quick on em0 all group 1 Ipmon output 08/06/2006 14:23:01.652653 STATE:NEW 165.165.192.80,53269 -> 196.7.156.157,80 PR tcp ... 08/06/2006 14:23:31.221693 em0 @1:20 b 165.165.192.80,53269 -> 196.7.156.157,80 PR tcp len 20 64 -S IN OOW 08/06/2006 14:23:31.674548 STATE:NEW 165.165.192.80,50949 -> 196.7.156.157,80 PR tcp 08/06/2006 14:23:32.915562 STATE:NEW 165.165.192.80,53465 -> 196.7.156.157,80 PR tcp 08/06/2006 14:23:34.219658 em0 @1:20 b 165.165.192.80,53269 -> 196.7.156.157,80 PR tcp len 20 64 -S IN OOW The 165.x.x.x IP address is from an ADSL line I was using to troubleshoot the problem (I was the only person using the line so it made tcpdumps etc easier to read, less noise). In our environment the problem was easily resolved by disabling SACKS on the Windows 2003 servers behind my firewall (something I have just finished testing). But I would still like someone to please point me in the right direction insofar as updating IPFilter to 4.1.13 under FreeBSD 6.1 as this solution is not to my liking. Regards, Nicholas