Date: Thu, 24 May 2001 23:49:37 +0000 From: Gunther Schadow <gunther@aurora.regenstrief.org> To: Jeff Dugan <jdugan21@home.com> Cc: freebsd-questions@FreeBSD.ORG Subject: Re: IPFilter Troubles Message-ID: <3B0D9E11.8BF87C99@aurora.regenstrief.org> References: <3B0D9C40.2763825B@home.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Jeff, I use IPFilter without the IPFILTER_DEFAULT_BLOCK option so I may not really know the problem you have. However, keep in mind that IPF uses the "last match" rule, and if the default block means that the last rule is to block, it will always block unless you use the "quick" option for pass. My hunch is that your problem has to do with this, not seeing your ipf.conf, however, I can't tell for sure. I doubt that this is a kernel problem. regards -Gunther Jeff Dugan wrote: > > I'm having some troubles with the IPFILTER_DEFAULT_BLOCK kernel option. > > When i try to ping either internal (ed0) or external (xl0) hostnames, i > get..... > # ping myhost > PING myhost.mynet.org (192.168.24.1): 56 data bytes > ping: sendto: No route to host. (x3) > ^C ... > When i compile my kernel without IPFILTER_DEFAULT_BLOCK, the problem is > solved (obviously) ... > I initially thought that this was a problem with my rules, so I tried > opening everything, that did not work. Yes, BUT did you pass "quick"? > I've tried soooo many combinations it not even funny! I tired modifying > the ipnat mapping,... Hands off ipnat if you have a blocking problem it will only complicate things. In any event use tcpdump to listen to your interface, see what goes on on the wire. > I sent my rules (ipf & ipnat) to a colleague running IPF,..they work > great on his system. are you sure he had DEFAULT_BLOCK turned on? It's kind of hard for someone else to test your filter rules because all the addresses etc. are different. I doubt that his was a thorrough testing. > That colleague suggested running router="routed" router_flags="-s" > router_enabled="YES", but this did not solve the prob,.... > Another suggested using the < option BRIDGE and option IPSTEALTH > in > the kernel, but that didn't work.... your routes work, because you say it works if you don't do DEFAULT_BLOCK. So it has nothing to do with it. Don't need routed if you don't use RIP in your local network. You likely have only some simple static routes. -- Gunther Schadow, M.D., Ph.D. gschadow@regenstrief.org Medical Information Scientist Regenstrief Institute for Health Care Adjunct Assistent Professor Indiana University School of Medicine tel:1(317)630-7960 http://aurora.regenstrief.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3B0D9E11.8BF87C99>