From owner-freebsd-questions@FreeBSD.ORG Thu Jan 22 13:21:42 2015 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 474F0F27 for ; Thu, 22 Jan 2015 13:21:42 +0000 (UTC) Received: from mail-lb0-x22d.google.com (mail-lb0-x22d.google.com [IPv6:2a00:1450:4010:c04::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id A5B0A32A for ; Thu, 22 Jan 2015 13:21:41 +0000 (UTC) Received: by mail-lb0-f173.google.com with SMTP id p9so1482369lbv.4 for ; Thu, 22 Jan 2015 05:21:39 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; bh=f03RER1ntZw9yakFQtIYZFXMBQlQxJvKU1QXuvTibbA=; b=0SbHGCypBsFWQ+e72NvFcuPXPaXNKk4AjM5d1l+CAa0m537j2AX5fDZ2+n5gTn/T57 hw2gDg91N+NJa1Khd4jmGJlJk9LaFr4QZ/1zYwc8dsk2vBPjxjKljzDKCXe+/MmsOvZd NAU5kn3NSpw1HnWrcZpQAugsyt44RQCETfHWitnQhc7RqGumyVP5oOtBCziUr7eKbfqE qwGnFXc5WFRkzsRl8qhhtEUhfroeQ002AGipF+wzFpltbshRuEkLnsye7ZdmYtN7gUDI aoGhsk7kDrqMlgpqr+NehSDJG+7AkVnQet1VJndtl+2kDMdL+S04bpNt47w4oETe22HH t23g== X-Received: by 10.152.29.193 with SMTP id m1mr1514059lah.84.1421932899584; Thu, 22 Jan 2015 05:21:39 -0800 (PST) MIME-Version: 1.0 Received: by 10.112.20.229 with HTTP; Thu, 22 Jan 2015 05:20:59 -0800 (PST) In-Reply-To: <54C0F52E.2010906@gmail.com> References: <54BF7050.90605@ShaneWare.Biz> <51264.128.135.70.2.1421883154.squirrel@cosmo.uchicago.edu> <54C0510C.8070408@gmail.com> <8292.76.193.18.182.1421893014.squirrel@cosmo.uchicago.edu> <54C0F52E.2010906@gmail.com> From: Odhiambo Washington Date: Thu, 22 Jan 2015 16:20:59 +0300 Message-ID: Subject: Re: IPFilter & FreeBSD-10.1 To: Ernie Luzar Content-Type: text/plain; charset=ISO-8859-1 X-Content-Filtered-By: Mailman/MimeDel 2.1.18-1 Cc: User Questions , galtsev@kicp.uchicago.edu X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 22 Jan 2015 13:21:42 -0000 I looked at /usr/share/examples/ipfilter/ on FreeBSD-8.4, 9.3, 10.1 and I did not see anything different in those files. Now, my rules work quite well on 8.4, 9.3, but fail in 10.1 I have been using these rules forever on many many boxes and all I was doing is to edit ipnat.conf and ipfilter.conf to change the interface names and the IPs/subnets for the LAN/WAN. On 22 January 2015 at 16:03, Ernie Luzar wrote: > > >> No, I'm not the original poster of this thread, the problem I have is >> different, I'll describe it later >> >> Again, my problem is different. Originally after upgrade from 9.3 >> RELEASE >> to 10.0 RELEASE (shortly after it was released). I started observing too >> many packets (more that 90%) dropped by ipfilter. Network feels like 100 >> time slower. All config files are in place. I asked on this list for help >> - no one replied (if my memory doesn't fail me). Then I looked into the >> code of kernel module itself, I noticed it is much slimmer than kernel >> module code on 9.3 (many files are missing, some of the ones that are >> there are noticeably shorter). I moved /usr/src off the way and checked >> out fresh copy: all is exactly the same. After that I just replaced the >> code of ipfilter module with the one from 9.3, rebuilt kernel module, >> unloaded and loaded freshly built module. And my ipfilter problem was >> fixed. I just posted this to the thread I have started, so it looks like >> one of the posts here on this thread just quotes what I did (or maybe >> someone else did and described the same). Note that config files didn't >> change. >> >> After some time living with 10.0 on that box, that box was upgraded to >> 10.1 RELEASE. Also shortly after it was released. And the same problem >> reappeared: ipfilter when it is on drops majority of packets, connections >> seem to be 100 slower... >> >> I know, happy people (who do not have problem themselves) ... hm ... not >> always can imagine that problem can be real for somebody else. But I still >> hope someone will be able to answer my questions. >> >> 1. How can I find website (Documentation) for latest ipfilter? Where is >> new place for it (it appears, developer moved it from where it was in the >> past) >> >> > There is no website where the IPF rule documentation is published. There > is only the "man pages". > >> 2. Did the syntax change between versions or not? On 9.3 I have version: >> v4.1.28 (496), whereas on 10.1: v5.1.2 (608). If yes, where do I find >> appropriate documentation. I certainly will be able to rewrite my rules >> myself after reading documentation. After all I wrote them (of course, >> using amazing FreeBSD online documentation ! ;-) >> >> > In 10.0 where ipfilter is stated as new version added gives no warning > that rule syntax has changed > >> Thanks in advance for all your replies. >> >> Valeri >> >> >> >> > > There is a very long thread dated Apr 15, 2013 with subject "ipfilter(4) > needs maintainer" in the questions and current mailing lists > Cy Schuert became the maintainer. Cy.Schuert@komquats.com > > He's the person you should be talking to. If you still get no joy then > file a PR to shine more light on your problem > > > > > > > > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions- > unsubscribe@freebsd.org" > -- Best regards, Odhiambo WASHINGTON, Nairobi,KE +254733744121/+254722743223 "I can't hear you -- I'm using the scrambler."