From owner-freebsd-questions@FreeBSD.ORG Sun Apr 6 19:03:03 2003 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1ABF537B401 for ; Sun, 6 Apr 2003 19:03:03 -0700 (PDT) Received: from magnesium.net (toxic.magnesium.net [207.154.84.15]) by mx1.FreeBSD.org (Postfix) with SMTP id A755643F75 for ; Sun, 6 Apr 2003 19:03:02 -0700 (PDT) (envelope-from mij@soupnazi.org) Received: (qmail 26875 invoked by uid 1111); 7 Apr 2003 02:03:02 -0000 Date: 6 Apr 2003 19:03:02 -0700 Date: Sun, 6 Apr 2003 19:03:02 -0700 From: Jim Mock To: John Murphy Message-ID: <20030407020302.GA57427@soupnazi.org> References: <74i19v4isusmlrpohohodush0gnmmsutvk@4ax.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <74i19v4isusmlrpohohodush0gnmmsutvk@4ax.com> User-Agent: Mutt/1.5.4i cc: questions@FreeBSD.ORG Subject: Re: 4.8 ipfilter ruleset compatibility question X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: mij@soupnazi.org List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 07 Apr 2003 02:03:03 -0000 On Mon, 07 Apr 2003 at 01:38:39 +0100, John Murphy wrote: > Paranoia rules so my outside interface is currently down while I > discover what has changed to cause an ipfilter ruleset which worked > fine under IP Filter: v3.4.20 to be wide open without logging > (apparently) with v3.4.31. > > I've upgraded from 4.4 to 4.8 release by re-installation and then > copying: /etc/rc.conf and the usual others from the old drive to the > new. Including the old, previously working, ipf.rules and > ipnat.rules. > > Everything worked except /var/log/ipf.log remained 0bytes for far too > long. top said ipmon was running. The /var/log/messages indications > of ipf startup compare favourably: > > Apr 1 22:01:42 wall /kernel: IP Filter: v3.4.20 initialized. Default > = pass all, Logging = enabled > > Apr 6 22:05:37 wall /kernel: IP Filter: v3.4.31 initialized. Default > = pass all, Logging = enabled > > A GRC scan showed ports scanned as closed, which is ok but > ipf.log = 0 and I need "stealth" and logs! > > I changed the first rule from: # Block all incoming packets on the > external interface, and log them. block in log on ed0 all to block in > log quick on ed0 all > > Now a GRC scan indicates "stealth" and the log file has come alive > with the usual noise. ipnat still works? > > I'm convinced there's no rule which overrides the first and passes > everything without logging, so has something drastically changed to > cause this? > > Not sure if it's related but I've just tried top again: > wall# top > top: nlist failed Things like this usually happen if your kernel is out of sync with your userland. "ps" is probably also broken if you're out of sync. - jim -- - jim mock. email: mij@soupnazi.org web: http://soupnazi.org - - freebsd project: jim@FreeBSD.org opendarwin: mij@opendarwin.org -