Date: Fri, 28 Feb 2014 13:07:41 -0600 (CST) From: "Valeri Galtsev" <galtsev@kicp.uchicago.edu> To: freebsd-questions@freebsd.org Subject: FreeBSD 10.0 ipfilter problem? Message-ID: <15771.128.135.70.2.1393614461.squirrel@cosmo.uchicago.edu>
next in thread | raw e-mail | index | archive | help
Dear All, After upgrading the first machine from FreeBSD 9.2-RELEASE to 10.0 I had strange problem with ipfilter. Well, I actually did fresh install, and the only what "upgrade" is related to is: I took /etc/ipf.riles that worked nicely on the same machine under FreeBSD 9.2-RELEASE without changing it and put it on 10.0 (and enabled ipfilter as usually). The problem manifested itself in ipfilter dropping majority of packets as "bad", which in case of scp (even outgoing one) led to connection stalled at about 500 kB of data passed... A quick glance at relevant variables: sysctl -a | grep ipf revealed that I don't see majority of them, including two of them that I'm used to tweak on busy boxes (I'm changing them in /usr/src/sys/contrib/ipfilter/netinet/ip_state.h actually): net.inet.ipf.fr_statesize: 65536 net.inet.ipf.fr_statemax: 65536 I tried to search and didn't find anybody mentioning my problem. (Somebody, please, teach me to search for something in all FreeBSD mail list archives!) So, finally I decided to make just a quick and dirty fix: I replaced /usr/src/sys/contrib/ipfilter /usr/src/sys//modules/ipfilter with the ones from FreeBSD 9.2-RELEASE, recompiled the kernel, rebooted, and that fixed my problem. I hope, this helps someone, but more importantly, I do have a question: is this just me doing something wrong so ipfilter stopped working for me on 10.0, or this is something that has to be fixed. Whom do we ask to fix ipfilter on FreeBSD 10.0? Thanks. Valeri ++++++++++++++++++++++++++++++++++++++++ Valeri Galtsev Sr System Administrator Department of Astronomy and Astrophysics Kavli Institute for Cosmological Physics University of Chicago Phone: 773-702-4247 ++++++++++++++++++++++++++++++++++++++++
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?15771.128.135.70.2.1393614461.squirrel>