From owner-freebsd-questions@FreeBSD.ORG Sat Aug 26 23:21:16 2006 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D7C7316A4E8 for ; Sat, 26 Aug 2006 23:21:16 +0000 (UTC) (envelope-from d.hill@yournetplus.com) Received: from admin.mwci.net (corp.yournetplus.com [162.42.148.121]) by mx1.FreeBSD.org (Postfix) with ESMTP id CE02444654 for ; Sat, 26 Aug 2006 21:26:03 +0000 (GMT) (envelope-from d.hill@yournetplus.com) Received: from duane.dbq.yournetplus.com (account d.hill@yournetplus.com [65.124.230.214] verified) by admin.mwci.net (CommuniGate Pro SMTP 4.1.8) with ESMTP id 40226822; Sat, 26 Aug 2006 21:26:03 +0000 Date: Sat, 26 Aug 2006 21:26:17 +0000 From: Duane Hill X-Mailer: The Bat! (v3.80.06) Professional X-Priority: 3 (Normal) Message-ID: <325068443.20060826212617@yournetplus.com> To: "J.D. Bronson" In-Reply-To: <7.0.1.0.2.20060826150124.01982d10@sixcompanies.com> References: <7.0.1.0.2.20060826150124.01982d10@sixcompanies.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Cc: freebsd-questions@freebsd.org Subject: Re: ipfilter on 6.1 X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Duane Hill List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 26 Aug 2006 23:21:16 -0000 On Saturday, August 26, 2006 at 8:02:10 PM, J.D. confabulated: > I got a full load of 6.1p4 installed and all built. I have pppoe and > ipfilter running almost perfect. > Clients can use the machine (as a router) and get out perfectly! > No issues with network performance at all. I am very pleased...until... > I found out that the router itself cant get out 100%. > My ipconfig is basically this: > bge0 - 10.43.82.174 > alias 10.43.82.171 - for bind9 views > alias 10.43.82.51 - for bind9 views > bge1 - connected to dsl modem > well I cant even telnet from the machine to itself! > 'destination unreachable' > DNS requests from the server itself (to itself - it runs bind) are > unanswered yet it is able to fully answer requests from internal or > external clients...just not itself! > If I use a public DNS server -or- use the IP of the machine I want to > connect up to, the router is able to get out and uses the correct IP. > I used the same configs from solaris on here (ipf.conf and ipnat.conf) > and only needed to change sppp0 to tun0. > this should take care of anything the machine itself needs: > ============ipf.conf====================== > # Pass LAN traffic to/from bge0 > pass in quick on bge0 all keep state keep frags > pass out quick on bge0 all keep state keep frags > # Pass traffic to WAN and keep state > pass out quick on tun0 proto tcp all flags S keep state keep frags > pass out quick on tun0 proto udp all keep state keep frags > pass out quick on tun0 proto icmp all keep state keep frags > ========================================== > I am totally baffled. Its like I am being blocked somehow but even > with ipfilter WIDE open - traffic still wont pass. > I am wondering if this is some quirk with the interface > aliases...although running the basic same setup on solaris - it works > perfectly. Did you build the kernel with the 'IPFILTER_DEFAULT_BLOCK'? If so, you would have to have two allowances at the end for anything else that didn't match the other rules: pass in all pass out all Being you are using 'quick', the processing stops when a match is found. If no match is found and you have IPFILTER_DEFAULT_BLOCK enabled, everything else would be blocked. I made this mistake when I set IPFilter up the first time and it was in a colo facility over 800 miles away. -- "This message was sent using 100% recycled electrons."