From owner-freebsd-current@FreeBSD.ORG Wed Aug 11 20:32:34 2004 Return-Path: Delivered-To: freebsd-current@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6DF4B16A4CE for ; Wed, 11 Aug 2004 20:32:34 +0000 (GMT) Received: from dragon.relcom.ru (dragon.relcom.ru [194.58.36.241]) by mx1.FreeBSD.org (Postfix) with ESMTP id 299AE43D4C for ; Wed, 11 Aug 2004 20:32:34 +0000 (GMT) (envelope-from anatoly@relcom.ru) Received: from [213.128.192.73] (moscow3-a9.sibintek.net [213.128.192.73]) by dragon.relcom.ru with asmtp (encrypted) id 1BuziW-000PKg-D5 for freebsd-current@freebsd.org; (v1.249) (envelope-from ); Thu, 12 Aug 2004 00:29:07 +0400 Message-ID: <411A820B.3040309@relcom.ru> Date: Thu, 12 Aug 2004 00:31:08 +0400 From: anatoly@relcom.ru User-Agent: Mozilla Thunderbird 0.7.3 (X11/20040807) X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-current@freebsd.org Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit X-Mailman-Approved-At: Thu, 12 Aug 2004 01:54:22 +0000 Subject: strange ipfilter's behavior X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 11 Aug 2004 20:32:34 -0000 hey, after few current cvsup's ipfilter doesnt work properly. Seems none saw this problem. After boot process passed it seems ipfilter rules are not working properly (but they're loaded and you can see them via ipfstat -io). rules themself are applied for tun0 with ppp on it. If I run ipf -Fa -f /etc/ipf.conf manually ipfilter start working as it ought to. (same situation with ipnat) Question is.. i missed something in recent /etc/rc updates or its a bug? uname -a: FreeBSD lifebook 5.2-CURRENT FreeBSD 5.2-CURRENT #0: Wed Aug 11 15:34:13 MSD 2004 root@lifebook:/usr/obj/usr/src/sys/LIFEBOOK i386 /etc/rc.conf: ipfilter_enable="YES" ipfilter_program="/sbin/ipf" ipfilter_rules="/etc/ipf.conf" ipfilter_flags="" ipnat_enable="YES" # Set to YES to enable ipnat functionality ipnat_program="/sbin/ipnat" # where the ipnat program lives ipnat_rules="/etc/ipnat.conf" # rules definition file for ipnat ipnat_flags="" # additional flags for ipnat ipmon_enable="YES" ipmon_program="/sbin/ipmon" # where the ipfilter monitor program lives ipmon_flags="-Ds" # typically "-Ds" or "-D /var/log/ipflog" /etc/ipf.conf: (pretty ugly) count out on tun0 from any to any count in on tun0 from any to any pass out quick on tun0 proto tcp from any to any keep state pass out quick on tun0 proto icmp from any to any keep state pass out quick on tun0 proto udp from any to any keep state block return-icmp in log quick on tun0 proto udp from any to any block return-icmp(proto-unr) in log quick on tun0 proto icmp from any to any block return-rst in log quick on tun0 proto tcp from any to any