From owner-freebsd-questions@FreeBSD.ORG Sat Apr 2 09:28:42 2005 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 018B516A4CE for ; Sat, 2 Apr 2005 09:28:42 +0000 (GMT) Received: from mail.sv-bg.com (mail.sv-bg.com [213.222.60.18]) by mx1.FreeBSD.org (Postfix) with SMTP id C74B143D1F for ; Sat, 2 Apr 2005 09:28:40 +0000 (GMT) (envelope-from lalev@sv-bg.com) Received: (qmail 30841 invoked by uid 1013); 2 Apr 2005 12:43:46 -0000 Received: from lalev@sv-bg.com by www.sv-bg.com by uid 1010 with qmail-scanner-1.22-st-qms Clear:RC:0(213.222.60.195):SA:0(-2.6/5.0):. Processed in 6.756065 secs); 02 Apr 2005 12:43:46 -0000 X-Spam-Status: No, hits=-2.6 required=5.0 X-Antivirus-MYDOMAIN-Mail-From: lalev@sv-bg.com via www.sv-bg.com X-Antivirus-MYDOMAIN: 1.22-st-qms (Clear:RC:0(213.222.60.195):SA:0(-2.6/5.0):. Processed in 6.756065 secs Process 30834) Received: from unknown (HELO ?192.168.1.20?) (lalev@sv-bg.com@213.222.60.195) by mail.sv-bg.com with SMTP; 2 Apr 2005 12:43:39 -0000 Message-ID: <424E8FE9.1090904@sv-bg.com> Date: Sat, 02 Apr 2005 12:28:25 +0000 From: Angelin Lalev User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.7.2) Gecko/20041016 X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-questions@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: ipfilter problems X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 02 Apr 2005 09:28:42 -0000 Two days ago I've switched the firewall on my FreeBSD 5.3 RELEASE router from ipfw to ipfilter. The firewalls are not my speciality and ipfilter looked simplier way to do NAT with firewall, because it separates NAT rules from filtering rules. The router has two interfaces rl0 (192.168.0.254/24) and rl1 (82.137.64.106/29, 192.168.5.1/24, 10.1.6.2/24). The ipfilter is compiled in kernel: ====================== options IPFILTER options IPFILTER_LOG options IPFILTER_DEFAULT_BLOCK /etc/ipnat.conf ============ map rl1 192.168.0.1/27 -> 82.137.64.106/32 /etc/ipf.rules ============ pass in quick on lo0 pass out quick on lo0 pass out quick on rl0 all pass in quick on rl0 all pass in quick on rl1 proto tcp from 192.168.5.1/24 to 192.168.5.1 port = 80 flags S keep state pass in quick on rl1 proto tcp from 192.168.5.1/24 to 192.168.5.1 port = 3128 flags S keep state # local counter-strike server. No NAT. pass in quick on rl1 from 192.168.5.1/24 to 192.168.0.50 keep state block in quick on rl1 from 192.168.5.1/24 to any pass out quick on rl1 all keep state The problem ======== On 192.168.0.0/24 network I have 6 machines. The router itself is an old 166 MHz Pentium box, but load averages are not bigger than 10%. When one of the machins makes dns lookup (the dns server is on outside - 62.73.78.2) it fails with timeout in about 9 of 10 times. ipfstat -t shows that a rule is created - something like this: Source IP Dest IP ST PR pkts. bytes 192.168.0.4,1029 62.73.78.2,53 0/0 udp 165 9992 Any help will be appreciated.