From owner-freebsd-questions@FreeBSD.ORG Sat Aug 26 20:40:52 2006 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5AD4316A4E0 for ; Sat, 26 Aug 2006 20:40:52 +0000 (UTC) (envelope-from keramida@ceid.upatras.gr) Received: from igloo.linux.gr (igloo.linux.gr [62.1.205.36]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6CFEC43D88 for ; Sat, 26 Aug 2006 20:40:48 +0000 (GMT) (envelope-from keramida@ceid.upatras.gr) Received: from gothmog.pc (patr530-a075.otenet.gr [212.205.215.75]) (authenticated bits=128) by igloo.linux.gr (8.13.7/8.13.7/Debian-2) with ESMTP id k7QKeVxC022712 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Sat, 26 Aug 2006 23:40:34 +0300 Received: from gothmog.pc (gothmog [127.0.0.1]) by gothmog.pc (8.13.7/8.13.7) with ESMTP id k7QKeF7W002267; Sat, 26 Aug 2006 23:40:16 +0300 (EEST) (envelope-from keramida@ceid.upatras.gr) Received: (from giorgos@localhost) by gothmog.pc (8.13.7/8.13.7/Submit) id k7QKeFdT002266; Sat, 26 Aug 2006 23:40:15 +0300 (EEST) (envelope-from keramida@ceid.upatras.gr) Date: Sat, 26 Aug 2006 23:40:15 +0300 From: Giorgos Keramidas To: "J.D. Bronson" Message-ID: <20060826204015.GI1311@gothmog.pc> References: <7.0.1.0.2.20060826150124.01982d10@sixcompanies.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <7.0.1.0.2.20060826150124.01982d10@sixcompanies.com> X-Hellug-MailScanner: Found to be clean X-Hellug-MailScanner-SpamCheck: not spam, SpamAssassin (score=-2.91, required 5, autolearn=not spam, AWL -0.31, BAYES_00 -2.60, UNPARSEABLE_RELAY 0.00) X-Hellug-MailScanner-From: keramida@ceid.upatras.gr X-Spam-Status: No Cc: freebsd-questions@freebsd.org Subject: Re: ipfilter on 6.1 X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 26 Aug 2006 20:40:52 -0000 On 2006-08-26 15:02, "J.D. Bronson" wrote: > I got a full load of 6.1p4 installed and all built. I have > pppoe and ipfilter running almost perfect. > > Clients can use the machine (as a router) and get out > perfectly! No issues with network performance at all. I am > very pleased...until... > > I found out that the router itself cant get out 100%. > > My ipconfig is basically this: > > bge0 - 10.43.82.174 alias 10.43.82.171 - for bind9 views alias > 10.43.82.51 - for bind9 views > > bge1 - connected to dsl modem > > well I cant even telnet from the machine to itself! > 'destination unreachable' > > DNS requests from the server itself (to itself - it runs bind) > are unanswered yet it is able to fully answer requests from > internal or external clients...just not itself! > > If I use a public DNS server -or- use the IP of the machine I > want to connect up to, the router is able to get out and uses > the correct IP. > > I used the same configs from solaris on here (ipf.conf and > ipnat.conf) and only needed to change sppp0 to tun0. > > this should take care of anything the machine itself needs: > > ============ipf.conf====================== > # Pass LAN traffic to/from bge0 > pass in quick on bge0 all keep state keep frags > pass out quick on bge0 all keep state keep frags > > # Pass traffic to WAN and keep state > pass out quick on tun0 proto tcp all flags S keep state keep frags > pass out quick on tun0 proto udp all keep state keep frags > pass out quick on tun0 proto icmp all keep state keep frags > ========================================== > > I am totally baffled. Its like I am being blocked somehow but > even with ipfilter WIDE open - traffic still wont pass. > > I am wondering if this is some quirk with the interface > aliases...although running the basic same setup on solaris > - it works perfectly. Don't show us the ipf.conf file you are using, but the output of: % ipfstat -hni % ipfstat -hno Then we can really know what rules you have loaded in IP Filter.