From owner-freebsd-stable Sun May 5 9:46:21 2002 Delivered-To: freebsd-stable@freebsd.org Received: from mail.webmonster.de (datasink.webmonster.de [194.162.162.209]) by hub.freebsd.org (Postfix) with SMTP id 39B6F37B400 for ; Sun, 5 May 2002 09:46:10 -0700 (PDT) Received: (qmail 76658 invoked by uid 1000); 5 May 2002 16:46:30 -0000 Date: Sun, 5 May 2002 18:46:30 +0200 From: "Karsten W. Rohrbach" To: Michael Riexinger Cc: freebsd-stable@freebsd.org Subject: Re: ipfilter problem Message-ID: <20020505184630.A76286@mail.webmonster.de> References: <20020504223450.GA1025@grind.grind.dom> <20020505152314.B73550@mail.webmonster.de> <20020505133204.GA667@grind.grind.dom> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="u3/rZRmxL6MmkK24" Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <20020505133204.GA667@grind.grind.dom>; from mailinglists@grindking.de on Sun, May 05, 2002 at 03:32:04PM +0200 X-Arbitrary-Number-Of-The-Day: 42 X-URL: http://www.webmonster.de/ X-Disclaimer: My opinions do not necessarily represent those of my employer X-Work-URL: http://www.ngenn.net/ X-Work-Address: nGENn GmbH, Schloss Kransberg, D-61250 Usingen-Kransberg, Germany X-Work-Phone: +49-6081-682-304 Sender: owner-freebsd-stable@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG --u3/rZRmxL6MmkK24 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Michael Riexinger(mailinglists@grindking.de)@2002.05.05 15:32:04 +0000: > On Sun May 5 15:23:14 2002, Karsten W. Rohrbach wrote: > > the problem can only be analyzed efficiently if you show us the rest of > > the ruleset. anything else is pure guesswork, based on assumptions about > > your ipf configuration. > >=20 > > regards, > > /k > Ok, here they are. But I wonder why it worked withot problems with > previous versions of FreeBSD/ipfilter. With netstat I can see FIN_WAIT_1 > states to the newsserver.=20 > (tcp4 0 0 dialin-212-144-1.49368 news.fu-berlin.d.nntp =20 > FIN_WAIT_1) >=20 >=20 > pass in quick on lo0 all > pass out quick on lo0 all >=20 > pass in quick on ed0 all > pass out quick on ed0 all >=20 > pass out quick on isp0 proto tcp/udp from any to any keep state pass out quick on isp0 proto tcp from any to any flags S/SA keep state pass out quick on isp0 proto udp from any to any keep state instead of the above one line should work. if it doesn't then give me a slap on the head, i'm still a bit drunk from yesterday ;-) > pass out quick on isp0 proto icmp from any to any keep state >=20 > pass in quick on isp0 proto tcp from any to any port =3D 80 > pass in quick on isp0 proto tcp from any to any port =3D 60000=20 >=20 > block return-icmp-as-dest(host-unr) in log quick on isp0 proto icmp from > any to any=20 > block return-rst in log quick on isp0 proto tcp from any to any > block return-icmp(port-unr) in log quick on isp0 proto udp from any to > any >=20 'ipfstat -s' on your box will tell you about state statistics. when you reload your rule set for testing, you should invoke it like 'ipf -Fa -FS -f/etc/ipf.rules' or similar, just to kick out the old state table. 'ipfstat -t' gives you a "top" style display of current states, so you can check them in realtime. regards, /k --=20 > MCSE: Minesweeper Consultant & Solitaire Engineer WebMonster Community Project -- Next Generation Networks GmbH -- All on BSD http://www.webmonster.de/ -- ftp://ftp.webmonster.de/ -- http://www.ngenn.n= et/ GnuPG: 0xDEC948A6 D/E BF11 83E8 84A1 F996 68B4 A113 B393 6BF4 DEC9 48A6 REVOKED: 0x2964BF46 D/E 42F9 9FFF 50D4 2F38 DBEE DF22 3340 4F4E 2964 BF46 REVOKED: 0x4C44DA59 RSA F9 A0 DF 91 74 07 6A 1C 5F 0B E0 6B 4D CD 8C 44 My mail is GnuPG signed -- Unsigned ones are bogus -- http://www.gnupg.org/ Please do not remove my address from To: and Cc: fields in mailing lists. 1= 0x --u3/rZRmxL6MmkK24 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Comment: For info see http://www.gnupg.org iD8DBQE81WHms5Nr9N7JSKYRAuiDAJ9KgKzRBAmEaow9C3lXL+1XoeVMDQCeITgG i5vaGxIAGwenR1Uq2WWNRNE= =4Zof -----END PGP SIGNATURE----- --u3/rZRmxL6MmkK24-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message