Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 30 Sep 2003 06:35:04 -0000
From:      Stephen Hilton <nospam@hiltonbsd.com>
To:        echelon <e_chelon@yahoo.com>
Cc:        freebsd-stable@freebsd.org
Subject:   Re: IPFILTER_DEFAULT_BLOCK & No route to host
Message-ID:  <20030930013500.282c93be.nospam@hiltonbsd.com>
In-Reply-To: <20030930032735.73176.qmail@web41204.mail.yahoo.com>
References:  <20030930032735.73176.qmail@web41204.mail.yahoo.com>
next in thread | previous in thread | raw e-mail | index | archive | help 

On Mon, 29 Sep 2003 20:27:35 -0700 (PDT)
echelon <e_chelon@yahoo.com> wrote:

> Hi,
> 
> After the option IPFILTER_DEFAULT_BLOCK is specified at kernel conf on FreeBSD 4.8 stable (cvsup'd
> with tag RELENG_4_8), the machine cannot be ping'd by others on the same network.
> 
> In addition, the machine cannot ping itself.
> 
> ping localhost (or 127.0.0.1) -> no route to host
> ping itself with its own ip address -> no route to host
> 
> The freebsd box, with an external pppoe connection, is configured as a gateway with nat. 
> Interestingly, all machines on the lan can access the internet via the freebsd box normally even
> though the freebsd box cannot be ping'd from these machines. 
> 
> The routing table is fine. All these problems go away if I remove the option 
> IPFILTER_DEFAULT_BLOCK from the kernel conf. I make clean before buildworld/kernel.  
> 

You need to create and load an ipfilter rule set.

For a start create /etc/ipf.rules containing:

pass in on lo0 all
pass out on lo0 all
 
pass in on xl0 all
pass out on xl0 all

# * xl0 should be changed to your ethernet interface type.


Then in your /etc/rc.conf

ipfilter_enable="YES"           # Set to YES to enable ipfilter functionality
ipfilter_program="/sbin/ipf"    # where the ipfilter program lives
ipfilter_rules="/etc/ipf.rules" # rules definition file for ipfilter.
ipfilter_flags="-F a -f /etc/ipf.rules"         # additional flags for ipfilter

This should get you started, good luck.

P.S.  Cross posting is not usually a good idea, freebsd-questions is 
the right place for stuff like this.


Cheers,

Stephen Hilton
nospam@hiltonbsd.com

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030930013500.282c93be.nospam>