Date: Thu, 9 Feb 2006 09:25:37 -0600 From: "David W. Chapman Jr." <dwcjr@aexeous.net> To: <freebsd-stable@freebsd.org> Cc: darrenr@pobox.com Subject: Ipfilter strangeness on FreeBSD 6 Message-ID: <FC0E02DDA06B6345AA37AE5404FCC610072435@rnsserver.aexeous.local>
next in thread | raw e-mail | index | archive | help
This is a multi-part message in MIME format. ------_=_NextPart_001_01C62D8D.13F379C0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable I've installed Freebsd 6.0-RELEASE and had some ipfilter bugs on a machine. It appears that after 3-4 hours ipfilter ignores all group rules. When I run ipfstat -ih I can see the packets coming in and hitting the specific rules but it seems to block them anyway. =20 By group rules I mean I'm doing something like this =20 block in on dc0 all head 100 block out on dc0 all head 150 block in on xl0 all head 200 block out on xl0 all head 250 =20 and have respective group rules under each group. =20 I switched out the nic on the public interface as I thought it was that originally. I currently have this cron job in place to alleviate the problem temporarily 0 * * * * /sbin/ipf -D;/sbin/ipf -E;/sbin/ipf -FS -Fa -f /etc/ipf.rules;/sbin/ipnat -FCf /etc/ipnat.rules =20 I cvsuped to the latest version =20 FreeBSD fbsd.abghouston.com 6.1-PRERELEASE FreeBSD 6.1-PRERELEASE #7: Tue Feb 7 17:34:35 UTC 2006 whatever@whatever.com:/usr/obj/usr/src/sys/FIREWALL i386 =20 the problem still seems to persist. =20 tcpdump appears to lock up if there are packets on the dc0 interface(which is the public interface). The problem completely goes away when I disable ipfilter. =20 Does anyone have any hints/clues/ideas? ###########################################=0A= =0A= This message has been scanned by HyBlue Secure.=0A= For more information, connect to http://www.HyBlue.com/ ------_=_NextPart_001_01C62D8D.13F379C0--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?FC0E02DDA06B6345AA37AE5404FCC610072435>