Date: Sun, 6 Apr 2003 19:03:02 -0700 From: Jim Mock <mij@soupnazi.org> To: John Murphy <jfm@blueyonder.co.uk> Cc: questions@FreeBSD.ORG Subject: Re: 4.8 ipfilter ruleset compatibility question Message-ID: <20030407020302.GA57427@soupnazi.org> In-Reply-To: <74i19v4isusmlrpohohodush0gnmmsutvk@4ax.com> References: <74i19v4isusmlrpohohodush0gnmmsutvk@4ax.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, 07 Apr 2003 at 01:38:39 +0100, John Murphy wrote: > Paranoia rules so my outside interface is currently down while I > discover what has changed to cause an ipfilter ruleset which worked > fine under IP Filter: v3.4.20 to be wide open without logging > (apparently) with v3.4.31. > > I've upgraded from 4.4 to 4.8 release by re-installation and then > copying: /etc/rc.conf and the usual others from the old drive to the > new. Including the old, previously working, ipf.rules and > ipnat.rules. > > Everything worked except /var/log/ipf.log remained 0bytes for far too > long. top said ipmon was running. The /var/log/messages indications > of ipf startup compare favourably: > > Apr 1 22:01:42 wall /kernel: IP Filter: v3.4.20 initialized. Default > = pass all, Logging = enabled > > Apr 6 22:05:37 wall /kernel: IP Filter: v3.4.31 initialized. Default > = pass all, Logging = enabled > > A <cough> GRC scan showed ports scanned as closed, which is ok but > ipf.log = 0 and I need "stealth" and logs! > > I changed the first rule from: # Block all incoming packets on the > external interface, and log them. block in log on ed0 all to block in > log quick on ed0 all > > Now a GRC scan indicates "stealth" and the log file has come alive > with the usual noise. ipnat still works? > > I'm convinced there's no rule which overrides the first and passes > everything without logging, so has something drastically changed to > cause this? > > Not sure if it's related but I've just tried top again: > wall# top > top: nlist failed Things like this usually happen if your kernel is out of sync with your userland. "ps" is probably also broken if you're out of sync. - jim -- - jim mock. email: mij@soupnazi.org web: http://soupnazi.org - - freebsd project: jim@FreeBSD.org opendarwin: mij@opendarwin.org -
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030407020302.GA57427>