From owner-freebsd-questions@FreeBSD.ORG Sun Feb 26 21:52:52 2006 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BDC2716A420 for ; Sun, 26 Feb 2006 21:52:52 +0000 (GMT) (envelope-from norgaard@locolomo.org) Received: from strange.daemonsecurity.com (59.Red-81-33-11.staticIP.rima-tde.net [81.33.11.59]) by mx1.FreeBSD.org (Postfix) with ESMTP id F1F0543D45 for ; Sun, 26 Feb 2006 21:52:50 +0000 (GMT) (envelope-from norgaard@locolomo.org) Received: from [172.16.2.1] (unknown [172.16.2.1]) by strange.daemonsecurity.com (Postfix) with ESMTP id 363002E041; Sun, 26 Feb 2006 22:52:55 +0100 (CET) Message-ID: <4402232A.8010908@locolomo.org> Date: Sun, 26 Feb 2006 22:52:42 +0100 From: =?ISO-8859-1?Q?Erik_N=F8rgaard?= Organization: Locolomo.ORG User-Agent: Thunderbird 1.5 (X11/20060221) MIME-Version: 1.0 To: Roman Serbski References: In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-questions@freebsd.org Subject: Re: Help with IP Filter 4.1.8 X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 26 Feb 2006 21:52:52 -0000 Roman Serbski wrote: > Hi all, > > I am having a problem with ipf after recent upgrade to 6.1-PRERELEASE. > Any help would be greatly appreciated. > > ipf: IP Filter: v4.1.8 (416) > Kernel: IP Filter: v4.1.8 > Running: yes > Log Flags: 0 = none set > Default: pass all, Logging: available > Active list: 0 > Feature mask: 0xa > > I am trying to allow outgoing dns requests from my server to DNS > server of ISP. Here is my ruleset: > > ipfstat -oh > 0 pass out quick on lo0 from any to any > 0 pass out quick on xl0 proto tcp from any to any port = domain flags > S/FSRPAU keep state > 1 pass out quick on xl0 proto udp from any to any port = domain keep state > 0 block out log quick on xl0 all > > ipfstat -ih > 0 pass in quick on lo0 from any to any > 0 block in quick on xl0 all Could you change your last rule to this: block in log quick on xl0 all and then tell what you see in the log. This would give some information if any traffic is blocked in the first place. Actually, adding the log keyword to all rules for the xl0 interface might be a good idea for debugging. Also, is this the complete ruleset or did you remove rules you thought were irrelevant? If so, then post the whole ruleset. Cheers, Erik -- Ph: +34.666334818 web: http://www.locolomo.org S/MIME Certificate: http://www.locolomo.org/crt/2004071206.crt Subject ID: A9:76:7A:ED:06:95:2B:8D:48:97:CE:F2:3F:42:C8:F2:22:DE:4C:B9 Fingerprint: 4A:E8:63:38:46:F6:9A:5D:B4:DC:29:41:3F:62:D3:0A:73:25:67:C2