From owner-freebsd-stable@FreeBSD.ORG  Thu Feb  9 15:27:13 2006
Return-Path: <owner-freebsd-stable@FreeBSD.ORG>
X-Original-To: freebsd-stable@freebsd.org
Delivered-To: freebsd-stable@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id E71D216A422
	for <freebsd-stable@freebsd.org>; Thu,  9 Feb 2006 15:27:13 +0000 (GMT)
	(envelope-from dwcjr@aexeous.net)
Received: from rnsserver.aexeous.net (rnsserver.aexeous.net [209.198.171.19])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 9EB7843D60
	for <freebsd-stable@freebsd.org>; Thu,  9 Feb 2006 15:27:12 +0000 (GMT)
	(envelope-from dwcjr@aexeous.net)
Content-Class: urn:content-classes:message
MIME-Version: 1.0
Keywords: disclaimer
Content-Type: multipart/mixed; boundary="----_=_NextPart_001_01C62D8D.13F379C0"
Date: Thu, 9 Feb 2006 09:25:37 -0600
Message-ID: <FC0E02DDA06B6345AA37AE5404FCC610072435@rnsserver.aexeous.local>
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.1830
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
Thread-Topic: Ipfilter strangeness on FreeBSD 6
thread-index: AcYtjROsF2WW7q2fT4aTN4IMPUzWNg==
From: "David W. Chapman Jr." <dwcjr@aexeous.net>
To: <freebsd-stable@freebsd.org>
X-Content-Filtered-By: Mailman/MimeDel 2.1.5
Cc: darrenr@pobox.com
Subject: Ipfilter strangeness on FreeBSD 6
X-BeenThere: freebsd-stable@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Production branch of FreeBSD source code <freebsd-stable.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-stable>, 
	<mailto:freebsd-stable-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-stable>
List-Post: <mailto:freebsd-stable@freebsd.org>
List-Help: <mailto:freebsd-stable-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-stable>,
	<mailto:freebsd-stable-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 09 Feb 2006 15:27:14 -0000

This is a multi-part message in MIME format.

------_=_NextPart_001_01C62D8D.13F379C0
Content-Type: text/plain;
	charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

I've installed Freebsd 6.0-RELEASE and had some ipfilter bugs on a
machine.  It appears that after 3-4 hours ipfilter ignores all group
rules.  When I run ipfstat -ih I can see the packets coming in and
hitting the specific rules but it seems to block them anyway.
=20
By group rules I mean I'm doing something like this
=20
block in on dc0 all head 100
block out on dc0 all head 150
block in on xl0 all head 200
block out on xl0 all head 250
=20
and have respective group rules under each group.
=20
I switched out the nic on the public interface as I thought it was that
originally.  I currently have this cron job in place to alleviate the
problem temporarily
0 * * * * /sbin/ipf -D;/sbin/ipf -E;/sbin/ipf -FS -Fa -f
/etc/ipf.rules;/sbin/ipnat -FCf /etc/ipnat.rules
=20
I cvsuped to the latest version
=20
FreeBSD fbsd.abghouston.com 6.1-PRERELEASE FreeBSD 6.1-PRERELEASE #7:
Tue Feb  7 17:34:35 UTC 2006
whatever@whatever.com:/usr/obj/usr/src/sys/FIREWALL  i386
=20
the problem still seems to persist.
=20
tcpdump appears to lock up if there are packets on the dc0
interface(which is the public interface).  The problem completely goes
away when I disable ipfilter.
=20
Does anyone have any hints/clues/ideas?

###########################################=0A=
=0A=
This message has been scanned by HyBlue Secure.=0A=
For more information, connect to http://www.HyBlue.com/
------_=_NextPart_001_01C62D8D.13F379C0--