From owner-freebsd-questions Thu May 24 16:49:42 2001 Delivered-To: freebsd-questions@freebsd.org Received: from rgmail.regenstrief.org (rgmail.regenstrief.org [134.68.31.197]) by hub.freebsd.org (Postfix) with ESMTP id 397D337B424 for ; Thu, 24 May 2001 16:49:39 -0700 (PDT) (envelope-from gunther@aurora.regenstrief.org) Received: from aurora.regenstrief.org (rgnout.regenstrief.org [134.68.31.38]) by rgmail.regenstrief.org (8.11.0/8.8.7) with ESMTP id f4ONqQX07960; Thu, 24 May 2001 18:52:26 -0500 Message-ID: <3B0D9E11.8BF87C99@aurora.regenstrief.org> Date: Thu, 24 May 2001 23:49:37 +0000 From: Gunther Schadow Organization: Regenstrief Institute for Health Care X-Mailer: Mozilla 4.75 [en] (Win98; U) X-Accept-Language: en MIME-Version: 1.0 To: Jeff Dugan Cc: freebsd-questions@FreeBSD.ORG Subject: Re: IPFilter Troubles References: <3B0D9C40.2763825B@home.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Jeff, I use IPFilter without the IPFILTER_DEFAULT_BLOCK option so I may not really know the problem you have. However, keep in mind that IPF uses the "last match" rule, and if the default block means that the last rule is to block, it will always block unless you use the "quick" option for pass. My hunch is that your problem has to do with this, not seeing your ipf.conf, however, I can't tell for sure. I doubt that this is a kernel problem. regards -Gunther Jeff Dugan wrote: > > I'm having some troubles with the IPFILTER_DEFAULT_BLOCK kernel option. > > When i try to ping either internal (ed0) or external (xl0) hostnames, i > get..... > # ping myhost > PING myhost.mynet.org (192.168.24.1): 56 data bytes > ping: sendto: No route to host. (x3) > ^C ... > When i compile my kernel without IPFILTER_DEFAULT_BLOCK, the problem is > solved (obviously) ... > I initially thought that this was a problem with my rules, so I tried > opening everything, that did not work. Yes, BUT did you pass "quick"? > I've tried soooo many combinations it not even funny! I tired modifying > the ipnat mapping,... Hands off ipnat if you have a blocking problem it will only complicate things. In any event use tcpdump to listen to your interface, see what goes on on the wire. > I sent my rules (ipf & ipnat) to a colleague running IPF,..they work > great on his system. are you sure he had DEFAULT_BLOCK turned on? It's kind of hard for someone else to test your filter rules because all the addresses etc. are different. I doubt that his was a thorrough testing. > That colleague suggested running router="routed" router_flags="-s" > router_enabled="YES", but this did not solve the prob,.... > Another suggested using the < option BRIDGE and option IPSTEALTH > in > the kernel, but that didn't work.... your routes work, because you say it works if you don't do DEFAULT_BLOCK. So it has nothing to do with it. Don't need routed if you don't use RIP in your local network. You likely have only some simple static routes. -- Gunther Schadow, M.D., Ph.D. gschadow@regenstrief.org Medical Information Scientist Regenstrief Institute for Health Care Adjunct Assistent Professor Indiana University School of Medicine tel:1(317)630-7960 http://aurora.regenstrief.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message