From owner-freebsd-stable Sun Feb 3 17:40:52 2002 Delivered-To: freebsd-stable@freebsd.org Received: from web13402.mail.yahoo.com (web13402.mail.yahoo.com [216.136.175.60]) by hub.freebsd.org (Postfix) with SMTP id D53CA37B41F for ; Sun, 3 Feb 2002 17:40:47 -0800 (PST) Message-ID: <20020204014047.9400.qmail@web13402.mail.yahoo.com> Received: from [61.140.220.88] by web13402.mail.yahoo.com via HTTP; Sun, 03 Feb 2002 17:40:47 PST Date: Sun, 3 Feb 2002 17:40:47 -0800 (PST) From: Hongbo Li Subject: ipfilter problem in FreeBSD 4.5 To: freebsd-stable@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-stable@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG I use a dual-homed FreeBSD box as firewall gateway, running FreeBSD 4.5 stable and ipfilter 3.4.20 . Every time I use a ftp client from a internal box to access a external ftp server, I can succesfully login in and do something. But when the ftp connection timeouts and I run the "ls" command over the connection, the gateway box(FreeBSD) hangs. who can tell me why? Thanks! By the way, Before I upgraded the FreeBSD box to 4.5 stable, the box run perfectly(4.4 stable and 4.5 RC). vr1 vr0 internal<>FBSD Box with <> external network box ipfilter #The internal interface: vr1 192.168.0.1 #The external interface: vr0 10.17.41.198 my ipf rules file: #/etc/ipf.rules pass in quick on vr1 all pass out quick on vr1 all pass out quick on vr0 proto tcp from any to any keep state keep frags pass out quick on vr0 proto udp from any to any keep state keep frags pass in quick on vr0 proto tcp from 10.17.41.201 to any port = 8888 flags S keep state keep frags block return-rst in log quick on vr0 proto tcp from any to any port = 21 block return-rst in log quick on vr0 proto tcp from any to any port = 23 block return-rst in log quick on vr0 proto tcp from any to any port = 139 block return-rst in log quick on vr0 proto tcp from any to any port = 3128 block return-rst in log quick on vr0 proto tcp from any to any port = 25 block return-rst in log quick on vr0 proto tcp from any to any port = 587 block in quick on vr0 proto udp from any to any my ipnat rules file: #/etc/ipnat.rules rdr vr1 192.168.0.1/32 port 80 -> 192.168.0.1 port 80 rdr vr1 0.0.0.0/0 port 80 -> 192.168.0.1 port 3128 map vr0 192.168.0.0/24 -> 0/32 proxy port 21 ftp/tcp #map vr1 10.17.41.198/32 -> 10.17.41.198/32 proxy port 21 ftp/tcp map vr0 192.168.0.0/24 -> 0/32 portmap tcp/udp 1025:65000 map vr0 192.168.0.0/24 -> 0/32 rdr vr0 10.17.41.198/32 port 80 -> 192.168.0.2 port 8888 __________________________________________________ Do You Yahoo!? Great stuff seeking new owners in Yahoo! Auctions! http://auctions.yahoo.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message