From owner-freebsd-questions@FreeBSD.ORG Sun Apr 6 17:38:41 2003 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C3E3437B401 for ; Sun, 6 Apr 2003 17:38:41 -0700 (PDT) Received: from blueyonder.co.uk (pcow057o.blueyonder.co.uk [195.188.53.94]) by mx1.FreeBSD.org (Postfix) with ESMTP id 94D9343F85 for ; Sun, 6 Apr 2003 17:38:40 -0700 (PDT) (envelope-from jfm@blueyonder.co.uk) Received: from lexx ([62.31.198.203]) by blueyonder.co.uk with Microsoft SMTPSVC(5.5.1877.757.75); Mon, 7 Apr 2003 01:38:39 +0100 From: John Murphy To: questions@FreeBSD.ORG Date: Mon, 07 Apr 2003 01:38:39 +0100 Organization: poor Message-ID: <74i19v4isusmlrpohohodush0gnmmsutvk@4ax.com> X-Mailer: Forte Agent 1.9/32.560 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable Subject: 4.8 ipfilter ruleset compatibility question X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: jfm@blueyonder.co.uk List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 07 Apr 2003 00:38:42 -0000 Paranoia rules so my outside interface is currently down while I discover what has changed to cause an ipfilter ruleset which worked fine under IP Filter: v3.4.20 to be wide open without logging (apparently) with = v3.4.31. I've upgraded from 4.4 to 4.8 release by re-installation and then = copying: /etc/rc.conf and the usual others from the old drive to the new. = Including the old, previously working, ipf.rules and ipnat.rules. Everything worked except /var/log/ipf.log remained 0bytes for far too = long. top said ipmon was running. The /var/log/messages indications of ipf = startup compare favourably: Apr 1 22:01:42 wall /kernel: IP Filter: v3.4.20 initialized. Default =3D= pass all, Logging =3D enabled Apr 6 22:05:37 wall /kernel: IP Filter: v3.4.31 initialized. Default =3D= pass all, Logging =3D enabled A GRC scan showed ports scanned as closed, which is ok but = ipf.log =3D 0 and I need "stealth" and logs! I changed the first rule from: # Block all incoming packets on the external interface, and log them. block in log on ed0 all to block in log quick on ed0 all Now a GRC scan indicates "stealth" and the log file has come alive with = the usual noise. ipnat still works? I'm convinced there's no rule which overrides the first and passes = everything without logging, so has something drastically changed to cause this? Not sure if it's related but I've just tried top again: wall# top top: nlist failed John.