From owner-freebsd-questions@FreeBSD.ORG Mon Mar 6 12:07:35 2006 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2978116A420 for ; Mon, 6 Mar 2006 12:07:35 +0000 (GMT) (envelope-from norgaard@locolomo.org) Received: from strange.daemonsecurity.com (59.Red-81-33-11.staticIP.rima-tde.net [81.33.11.59]) by mx1.FreeBSD.org (Postfix) with ESMTP id 939B343D48 for ; Mon, 6 Mar 2006 12:07:34 +0000 (GMT) (envelope-from norgaard@locolomo.org) Received: from [172.24.8.84] (generic.ATOSORIGIN.ES [212.170.156.200]) by strange.daemonsecurity.com (Postfix) with ESMTP id 1F67F2E041; Mon, 6 Mar 2006 13:07:39 +0100 (CET) Message-ID: <440C25FE.6050401@locolomo.org> Date: Mon, 06 Mar 2006 13:07:26 +0100 From: Erik Norgaard User-Agent: Thunderbird 1.5 (X11/20060118) MIME-Version: 1.0 To: Roman Serbski References: <4402232A.8010908@locolomo.org> <44031DC4.6060804@locolomo.org> In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-questions@freebsd.org Subject: Re: Help with IP Filter 4.1.8 X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 06 Mar 2006 12:07:35 -0000 Roman Serbski wrote: > My ruleset consists of only 6 rules: > > pass out quick on lo0 from any to any > pass out quick on xl0 proto tcp from any to any port = domain flags > S/FSRPAU keep state > pass out quick on xl0 proto udp from any to any port = domain keep state > block out log quick on xl0 all > pass in quick on lo0 from any to any > block in quick on xl0 all Your rules look ok, this is a strange problem. > The rule # 2 which was blocking reply from DNS server is 'block in > quick on xl0 all'. > > Adding 'log' keyword to the rule allowing outgoing 53/udp gives the following: > > xl0 @0:3 p YYY.YYY.YYY.YYY,50359 -> XXX.XXX.XXX.XXX,53 PR udp len 20 57 K-S OUT > > So outgoing 53/udp was successfully passed through, but incoming reply > was blocked again: > > xl0 @0:2 b XXX.XXX.XXX.XXX,53 -> YYY.YYY.YYY.YYY,50359 PR udp len 20 298 IN bad > > Yes, I also tried another DNS server - same results. ok > I think this is more ipf issue, so I'll try to ask for assistance in > ipf maling list, I was just thinking if someone else has faced with > the similar problem during upgrade from ipf v3.4.35 to v4.1.8. Ok, here are some things to try: 1) Other udp services, are responces also blocked? you can for example try ntp. If so, then it is likely a bug in ip-filter. else, 2) Try using snort or tcpdump to capture the blocked packet and analyse if it is malformed. Possibly include such a packet with your next post. else 3) try to see if you can upgrade to a newer ipfilter, latest is v4.1.10 Cheers, Erik -- Ph: +34.666334818 web: www.locolomo.org S/MIME Certificate: www.daemonsecurity.com/ca/8D03551FFCE04F06.crt Subject ID: 9E:AA:18:E6:94:7A:91:44:0A:E4:DD:87:73:7F:4E:82:E7:08:9C:72 Fingerprint: 5B:D5:1E:3E:47:E7:EC:1C:4C:C8:3A:19:CC:AE:14:F5:DF:18:0F:B9