From owner-freebsd-stable@FreeBSD.ORG Mon Sep 29 23:35:03 2003 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DA93C16A4B3 for ; Mon, 29 Sep 2003 23:35:03 -0700 (PDT) Received: from hermes.pressenter.com (hermes.pressenter.com [69.58.128.19]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1E06A43FA3 for ; Mon, 29 Sep 2003 23:35:03 -0700 (PDT) (envelope-from nospam@hiltonbsd.com) Received: from [69.58.129.77] (helo=daggar.sbgnet.local) by hermes.pressenter.com with smtp (Exim 3.35 #1) id 1A4E69-0003Ht-00; Tue, 30 Sep 2003 01:35:02 -0500 From: Stephen Hilton To: echelon Message-Id: <20030930013500.282c93be.nospam@hiltonbsd.com> In-Reply-To: <20030930032735.73176.qmail@web41204.mail.yahoo.com> References: <20030930032735.73176.qmail@web41204.mail.yahoo.com> X-Mailer: Sylpheed version 0.9.4 (GTK+ 1.2.10; i386-portbld-freebsd4.9) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit cc: freebsd-stable@freebsd.org Subject: Re: IPFILTER_DEFAULT_BLOCK & No route to host X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Date: Tue, 30 Sep 2003 06:35:04 -0000 X-Original-Date: Tue, 30 Sep 2003 01:35:00 -0500 X-List-Received-Date: Tue, 30 Sep 2003 06:35:04 -0000 On Mon, 29 Sep 2003 20:27:35 -0700 (PDT) echelon wrote: > Hi, > > After the option IPFILTER_DEFAULT_BLOCK is specified at kernel conf on FreeBSD 4.8 stable (cvsup'd > with tag RELENG_4_8), the machine cannot be ping'd by others on the same network. > > In addition, the machine cannot ping itself. > > ping localhost (or 127.0.0.1) -> no route to host > ping itself with its own ip address -> no route to host > > The freebsd box, with an external pppoe connection, is configured as a gateway with nat. > Interestingly, all machines on the lan can access the internet via the freebsd box normally even > though the freebsd box cannot be ping'd from these machines. > > The routing table is fine. All these problems go away if I remove the option > IPFILTER_DEFAULT_BLOCK from the kernel conf. I make clean before buildworld/kernel. > You need to create and load an ipfilter rule set. For a start create /etc/ipf.rules containing: pass in on lo0 all pass out on lo0 all pass in on xl0 all pass out on xl0 all # * xl0 should be changed to your ethernet interface type. Then in your /etc/rc.conf ipfilter_enable="YES" # Set to YES to enable ipfilter functionality ipfilter_program="/sbin/ipf" # where the ipfilter program lives ipfilter_rules="/etc/ipf.rules" # rules definition file for ipfilter. ipfilter_flags="-F a -f /etc/ipf.rules" # additional flags for ipfilter This should get you started, good luck. P.S. Cross posting is not usually a good idea, freebsd-questions is the right place for stuff like this. Cheers, Stephen Hilton nospam@hiltonbsd.com