From owner-freebsd-stable Tue Oct 24 9:16:23 2000 Delivered-To: freebsd-stable@freebsd.org Received: from jenna.webcraft99.alt (unknown [202.151.216.11]) by hub.freebsd.org (Postfix) with SMTP id 73B0D37B479 for ; Tue, 24 Oct 2000 09:16:18 -0700 (PDT) Received: (qmail 2123 invoked from network); 24 Oct 2000 16:19:33 -0000 Received: from shania.webcraft99.alt (HELO shania.webcraft99.com) (192.168.1.31) by jenna.webcraft99.alt with SMTP; 24 Oct 2000 16:19:33 -0000 Message-Id: <5.0.0.25.0.20001025001831.00a843f0@mail.miway.com> X-Sender: feisal@webcraft99.com@mail.miway.com X-Mailer: QUALCOMM Windows Eudora Version 5.0 Date: Wed, 25 Oct 2000 00:19:31 +0800 To: stable@freebsd.org From: Feisal Umar Subject: FreeBSD Upgrade from STABLE3.5 to STABLE4.1.1: ipf misbehaving Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-stable@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Are there any known issues/gotchas of using IPFILTER and NATD on hosts running FreeBSD STABLE-4.1.1 which was just recently upgraded from a STABLE3.5 ?? I am encountering a very baffling problem with the current setup, which was CVSup'd and built Sunday 23rd Oct 2000. My input files was exactly the same as on the previous 3.5STABLE host (no changes to the rulesets), and I rebuilt the ipl devices. The host is running IPFILTER and IPNAT in a router/firewall combo. IPNAT seems to be working perfectly, only IPF seems to be mis-behaving. All packets seems to be blocked due to the presence of my catch-all: block in log on fxp0 all The only way for me to restore order (or at least to save my ***) was to change from DENY DEFAULT STANCE to ALLOW ALL BY DEFAULT by changing the corresponding rule to: pass in on fxp0 I tried to work from scratch, but it seems nothings works. I can't even selectively block any packets with the interface/proto combo, e.g. block in log on fxp0 proto tcp from any to any port = 113 (can't recall the exact syntax, but I assure you I used it as it was when the box was 3.5STABLE). The logs suggested to me that everything seems only to depend on rule #71 (from ipfstat -in) which was the "catch-all" rule. What's happening? Did I miss something during the upgrade? Everything else working perfectly, in fact better than before. Appreciate any thoughts on this matter. Thanks in advance. Additionally, ipmon is not logging to syslog via LOCAL0 (as it was previously). I had to change my syslogd.conf to to log ipmon's logs using the !ipmon feature. Feisal Umar Webcraft Sdn Bhd - http://www.webcraft99.com There's no trick to being a humorist when you have the whole government working for you. -- Will Rodgers To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message