From owner-freebsd-questions@FreeBSD.ORG  Sun Feb 26 22:50:52 2006
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
X-Original-To: freebsd-questions@freebsd.org
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id C1AD116A43C
	for <freebsd-questions@freebsd.org>;
	Sun, 26 Feb 2006 22:50:52 +0000 (GMT)
	(envelope-from keramida@ceid.upatras.gr)
Received: from igloo.linux.gr (igloo.linux.gr [62.1.205.36])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 019D743D48
	for <freebsd-questions@freebsd.org>;
	Sun, 26 Feb 2006 22:50:50 +0000 (GMT)
	(envelope-from keramida@ceid.upatras.gr)
Received: from flame.pc (dslcustomer-222-89.vivodi.gr [83.171.222.89])
	(authenticated bits=128)
	by igloo.linux.gr (8.13.5/8.13.5/Debian-3) with ESMTP id k1QModmF018541
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT);
	Mon, 27 Feb 2006 00:50:40 +0200
Received: from flame.pc (flame [127.0.0.1])
	by flame.pc (8.13.4/8.13.4) with ESMTP id k1QMo9mO001245;
	Mon, 27 Feb 2006 00:50:09 +0200 (EET)
	(envelope-from keramida@ceid.upatras.gr)
Received: (from keramida@localhost)
	by flame.pc (8.13.4/8.13.4/Submit) id k1QMo9eq001244;
	Mon, 27 Feb 2006 00:50:09 +0200 (EET)
	(envelope-from keramida@ceid.upatras.gr)
Date: Mon, 27 Feb 2006 00:50:09 +0200
From: Giorgos Keramidas <keramida@ceid.upatras.gr>
To: Roman Serbski <mefystofel@gmail.com>
Message-ID: <20060226225009.GA1207@flame.pc>
References: <cca5083b0602260715w2f4a9e49o494f2f537afca2db@mail.gmail.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <cca5083b0602260715w2f4a9e49o494f2f537afca2db@mail.gmail.com>
X-Hellug-MailScanner: Found to be clean
X-Hellug-MailScanner-SpamCheck: not spam, SpamAssassin (score=-3.157,
	required 5, autolearn=not spam, ALL_TRUSTED -1.80, AWL 1.04,
	BAYES_00 -2.60, DNS_FROM_RFC_ABUSE 0.20)
X-Hellug-MailScanner-From: keramida@ceid.upatras.gr
Cc: freebsd-questions@freebsd.org
Subject: Re: Help with IP Filter 4.1.8
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 26 Feb 2006 22:50:52 -0000

On 2006-02-26 20:15, Roman Serbski <mefystofel@gmail.com> wrote:
> Hi all,
>
> I am having a problem with ipf after recent upgrade to 6.1-PRERELEASE.
> Any help would be greatly appreciated.
>
> ipf: IP Filter: v4.1.8 (416)
> Kernel: IP Filter: v4.1.8
> Running: yes
> Log Flags: 0 = none set
> Default: pass all, Logging: available
> Active list: 0
> Feature mask: 0xa
>
> I am trying to allow outgoing dns requests from my server to DNS
> server of ISP. Here is my ruleset:
>
> # ipfstat -oh
> 0 pass out quick on lo0 from any to any
> 0 pass out quick on xl0 proto tcp from any to any port = domain flags S/FSRPAU keep state
> 1 pass out quick on xl0 proto udp from any to any port = domain keep state
> 0 block out log quick on xl0 all

This part seems ok.  I'd probably try without the ``flags S/FSRPAU''
part, but that's relatively harmless.

> # ipfstat -ih
> 0 pass in quick on lo0 from any to any
> 0 block in quick on xl0 all

This part seems a bit paranoid, but relatively ok too.

> I tried `host www.google.com` and the connection was timed out,
> although there was a hit on a rule allowing 53/udp.

> The interesting thing is that there is another server running
> 5.3-STABLE with ipf v3.4.35 (336) and it has the same ruleset and
> everything is working just fine.

When you're having problems with IP Filter rules, it's always a good
idea to `log' the blocking rules.  Can you try the following two things?

    a) Remove the `flags' part of the stateful rule.

    b) Add a `log' keyword to the input blocking rule.

The rulesets for these two cases would be:

    # Ruleset 1.
    pass out quick on lo0 from any to any
    pass out quick on xl0 proto tcp from any to any port = domain keep state
    pass out quick on xl0 proto udp from any to any port = domain keep state
    block out log quick on xl0 all
    pass in quick on lo0 from any to any
    block in quick on xl0 all

    # Ruleset 2.
    pass out quick on lo0 from any to any
    pass out quick on xl0 proto tcp from any to any port = domain keep state
    pass out quick on xl0 proto udp from any to any port = domain keep state
    block out log quick on xl0 all
    pass in quick on lo0 from any to any
    block in log quick on xl0 all

When you install the logging final rule, please check your system logs
for blocked packets.  Then you'll have an idea why something is blocked,
what was blocked, etc.  Post the ipfilter log messages as a followup to
this thread, and we'll try to track down the problem the current ruleset
has.

- Giorgos