From owner-freebsd-questions@FreeBSD.ORG Fri Jun 17 16:34:06 2005 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CDA0116A41F for ; Fri, 17 Jun 2005 16:34:06 +0000 (GMT) (envelope-from johnc2kk@yahoo.co.uk) Received: from web26903.mail.ukl.yahoo.com (web26903.mail.ukl.yahoo.com [217.146.176.92]) by mx1.FreeBSD.org (Postfix) with SMTP id 5D7B943D53 for ; Fri, 17 Jun 2005 16:34:06 +0000 (GMT) (envelope-from johnc2kk@yahoo.co.uk) Received: (qmail 90409 invoked by uid 60001); 17 Jun 2005 16:34:05 -0000 DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.co.uk; h=Message-ID:Received:Date:From:Subject:To:Cc:In-Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding; b=bGaDmYIOMqt1gwsrsm6futLxl9tkNgcIDRaMUXl/KCpMD9Nwk2vJMGzELLW1HrTLhg+Fmj66Jz5t4Kj8lkV3EaMDw/eiGGIgkpBrSopVqx8l8qH9o3PJnG2AZQoJsWabDQC1cqhXly1yiFBVa3PyGbZeuPkJIqODXBVZaGFmXZQ= ; Message-ID: <20050617163405.90407.qmail@web26903.mail.ukl.yahoo.com> Received: from [62.3.252.138] by web26903.mail.ukl.yahoo.com via HTTP; Fri, 17 Jun 2005 17:34:05 BST Date: Fri, 17 Jun 2005 17:34:05 +0100 (BST) From: John Conner To: DH In-Reply-To: <20050617162100.1827.qmail@web33101.mail.mud.yahoo.com> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Cc: freebsd-questions@freebsd.org Subject: Re: Vexing IPF problem X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 17 Jun 2005 16:34:07 -0000 David, If you just REM'd the ipopts rule the firewall will stop at the next line: block in log quick proto tcp from any to any with short Try commenting out both these lines as the "quick" in the second rule would also cause the firewall to reject incoming traffic. Using "quick" tells the firewall to stop traversing the rule set. In this case it will have read the above rule and ignored the other "in" rules. Hope this helps, John --- DH wrote: > Hello John, > > The "opts" rule is actually rule # 4 - Rule #1 is: > block in log from any to any > > and the log indicates the return packet is getting > blocked at rule 1: ....@0:1..... > > Just for the heck of it I did try your suggestion & > REM'd out the "ipopts" rule but this had no effect. > > > > Thanks for the rsvp > > David Hutchens III > Network Technician > > John Conner wrote: > Hello David, > > Im not expert on IPF but on first inspeciton it > would > look like the problem is in your first fxp0 rule: > > block in log quick on fxp0 from any to any with > ipopts > > To the best of my knowledge when quick is added the > firewall does not look at any of the other rules. If > this is the case having quick in the above rule > would > cause the firewall to block every incoming packet. > Hope this helps > > John > > --- DH wrote: > > > I'm having a problem with IPF blocking packets > that > > appear should be let through. > > > > I've sent quite a bit of time going through the > > Handbook, man pages, etc & I must be missing > > something so any help is greatly appriciated. > > > > uname -a freebsd 4.11-release #0 > > > > SMP kernel, dual PIII processor, 512 MB ECC RAM, > > SCSI HDs > > > > execerpt from rule set: > > > > Kernel compiled with "default allow" until I > finish > > getting the ruleset rewritten. > > > > Rule #1 block in log from any to any > > > > pass in quick on lo0 > > pass out quick on lo0 > > > > block in log quick on fxp0 from any to any with > > ipopts > > block in log quick proto tcp from any to any with > > short > > ... > > pass in log first proto tcp from any to any port = > > 80 flags S keep state > > pass in log first proto tcp from any port = 80 to > > any flags S keep state > > pass out log first proto tcp from any to any port > = > > 80 flags S keep state > > > > > > netstat -m = 129/576/16384 > > 9% of mb_map in use > > > > Proxy Server - Squid 2.5.stable10 > > > > > > The behavior I'm seeing is out going connections > to > > websites on port 80 are being passed > > but the in bound traffic is being blocked. The > > ipflog entries look like this: > > > > > > my ip = s theirs = d > > > > @0:390 p s.s.s.s,3601 -> d.d.d.d,80 PR tcp len 20 > 60 > > -S K-S OUT > > > > @0:1 b d.d.d.d,80 -> s.s.s.s,3601 PR tcp len 20 43 > > -AR IN > > > > > > > > Thanks in advance to those giving their time to > lend > > a hand, I know you time is valuable. > > > > Please CC my address in your reply. > > > > David Hutchens III > > Network Technician > > > > > > > > > > > > --------------------------------- > > Yahoo! Sports > > Rekindle the Rivalries. Sign up for Fantasy > > Football > > _______________________________________________ > > freebsd-questions@freebsd.org mailing list > > > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > > To unsubscribe, send any mail to > > "freebsd-questions-unsubscribe@freebsd.org" > > > > > > > > > ___________________________________________________________ > > Yahoo! Messenger - NEW crystal clear PC to PC > calling worldwide with voicemail > http://uk.messenger.yahoo.com > > __________________________________________________ > Do You Yahoo!? > Tired of spam? Yahoo! Mail has the best spam > protection around > http://mail.yahoo.com ___________________________________________________________ How much free photo storage do you get? Store your holiday snaps for FREE with Yahoo! Photos http://uk.photos.yahoo.com