From owner-freebsd-questions@FreeBSD.ORG Sun Feb 26 17:59:11 2006 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C2BEF16A420 for ; Sun, 26 Feb 2006 17:59:11 +0000 (GMT) (envelope-from duncan.fbsd@gmail.com) Received: from smtp110.sbc.mail.re2.yahoo.com (smtp110.sbc.mail.re2.yahoo.com [68.142.229.95]) by mx1.FreeBSD.org (Postfix) with SMTP id 4AD8243D45 for ; Sun, 26 Feb 2006 17:59:11 +0000 (GMT) (envelope-from duncan.fbsd@gmail.com) Received: (qmail 79892 invoked from network); 26 Feb 2006 17:59:10 -0000 Received: from unknown (HELO pres1750.mylan.net) (donaldj@ameritech.net@69.211.89.144 with plain) by smtp110.sbc.mail.re2.yahoo.com with SMTP; 26 Feb 2006 17:59:10 -0000 From: "Donald J. O'Neill" To: freebsd-questions@freebsd.org, fbsd_user@a1poweruser.com Date: Sun, 26 Feb 2006 11:58:56 -0600 User-Agent: KMail/1.9.1 References: In-Reply-To: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200602261158.56738.duncan.fbsd@gmail.com> Cc: Roman Serbski Subject: Re: Help with IP Filter 4.1.8 X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 26 Feb 2006 17:59:11 -0000 On Sunday 26 February 2006 11:19, fbsd_user wrote: > Since you say the same ipf rules work on your 5.3 system and you > are trying to run them on 6.1-PRERELEASE, I would say the problem > is 6.1-PRERELEASE. > > Prereleases versions and RC version are not intended for public use. > They are version for people who know how to debug kernel code and > help the developers test new version. > > It does not look like you know how to debug kernel code or you > would not be asking this question. > > You should be using 6.0 as that's the current production version. > If you still have this problem on 6.0 then repost your question. > > > > > Hi all, > > I am having a problem with ipf after recent upgrade to > 6.1-PRERELEASE. Any help would be greatly appreciated. > > ipf: IP Filter: v4.1.8 (416) > Kernel: IP Filter: v4.1.8 > Running: yes > Log Flags: 0 = none set > Default: pass all, Logging: available > Active list: 0 > Feature mask: 0xa > > I am trying to allow outgoing dns requests from my server to DNS > server of ISP. Here is my ruleset: > > ipfstat -oh > 0 pass out quick on lo0 from any to any > 0 pass out quick on xl0 proto tcp from any to any port = domain flags > S/FSRPAU keep state > 1 pass out quick on xl0 proto udp from any to any port = domain keep > state > 0 block out log quick on xl0 all > > ipfstat -ih > 0 pass in quick on lo0 from any to any > 0 block in quick on xl0 all > > I tried `host www.google.com` and the connection was timed out, > although there was a hit on a rule allowing 53/udp. > > The interesting thing is that there is another server running > 5.3-STABLE with ipf v3.4.35 (336) and it has the same ruleset and > everything is working just fine. > > Thank you for your time. > _______________________________________________ If you're not going to give any better advice than this, why did you give it all? I don't see anything in the OP's message that requires kernel debugging. Just some advice that he should check to see what changes have been made to ipf v4.1.8 as compared to v3.4.35 and how they affect rules. Don