From owner-freebsd-bugs@FreeBSD.ORG Wed Oct 27 22:20:24 2004 Return-Path: Delivered-To: freebsd-bugs@hub.freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9708116A4CE for ; Wed, 27 Oct 2004 22:20:24 +0000 (GMT) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 78D5C43D39 for ; Wed, 27 Oct 2004 22:20:24 +0000 (GMT) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.12.11/8.12.11) with ESMTP id i9RMKO4v024954 for ; Wed, 27 Oct 2004 22:20:24 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.12.11/8.12.11/Submit) id i9RMKOIL024953; Wed, 27 Oct 2004 22:20:24 GMT (envelope-from gnats) Date: Wed, 27 Oct 2004 22:20:24 GMT Message-Id: <200410272220.i9RMKOIL024953@freefall.freebsd.org> To: freebsd-bugs@FreeBSD.org From: David Haworth Subject: Re: kern/73202: IPF causing major tcp problems with 3rd party apps (apache, exim etc) X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: David Haworth List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 27 Oct 2004 22:20:24 -0000 The following reply was made to PR kern/73202; it has been noted by GNATS. From: David Haworth To: Kris Kennaway Cc: FreeBSD-gnats-submit@FreeBSD.org Subject: Re: kern/73202: IPF causing major tcp problems with 3rd party apps (apache, exim etc) Date: Wed, 27 Oct 2004 23:18:14 +0100 --Apple-Mail-18-349210026 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=US-ASCII; format=flowed > First guess would be that your ipf ruleset was wrong. Can you please > include it for verification? you're quite right, I should have pointed out that the firewall ruleset was completely unchanged from the 5.1 config. I don't really want to post my firewall config to a public forum so I'll enclose a suitably edited version. this config worked fine with 5.1 and caused no problems. dave # deny by default block in log on vr0 pass in quick on lo0 pass out quick on lo0 # get rid of unwanted and unexpected networks block in quick on vr0 from 192.168.0.0/16 to any block in quick on vr0 from 172.16.0.0/12 to any block in quick on vr0 from 10.0.0.0/8 to any block in quick on vr0 from 127.0.0.0/8 to any block in quick on vr0 from 0.0.0.0/8 to any block in quick on vr0 from 169.254.0.0/16 to any block in quick on vr0 from 192.0.2.0/24 to any block in quick on vr0 from 204.152.64.0/23 to any block in quick on vr0 from 224.0.0.0/3 to any #Rule to block nmap fingerprinting attempts block in quick on vr0 proto tcp all flags FUP #block all packets with ip options. block in log quick all with ipopts #block all fragmented and short packets block in quick all with frag block in quick all with short # block silently netbios/msds/mssql traffic from the local lan block in quick on vr0 proto tcp from any to any port = 135 # allow mail/web traffic pass in quick on vr0 proto tcp from any to $local_ip1 port = smtp pass in quick on vr0 proto tcp from any to $local_ip1 port = http pass in quick on vr0 proto tcp from any to $local_ip2 port = http # allow pings and traceroutes pass in quick proto icmp from any to $local_ip1 icmp-type 8 # echo request pass in quick proto udp from any to $local_ip1 port 33434 >< 33690 keep state #allow anyone to ssh in pass in quick on vr0 proto tcp from any to any port = 22 flags S keep state # stateful allowing of internal traffic and replies pass out quick on vr0 proto tcp/udp from any to any keep state keep frags pass out quick on vr0 proto icmp from any to any keep state --Apple-Mail-18-349210026 Content-Transfer-Encoding: base64 Content-Type: application/pkcs7-signature; name=smime.p7s Content-Disposition: attachment; filename=smime.p7s MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIGEDCCAskw ggIyoAMCAQICAwuGHzANBgkqhkiG9w0BAQQFADBiMQswCQYDVQQGEwJaQTElMCMGA1UEChMcVGhh d3RlIENvbnN1bHRpbmcgKFB0eSkgTHRkLjEsMCoGA1UEAxMjVGhhd3RlIFBlcnNvbmFsIEZyZWVt YWlsIElzc3VpbmcgQ0EwHhcNMDQwMTIxMTgxMzI1WhcNMDUwMTIwMTgxMzI1WjBAMR8wHQYDVQQD ExZUaGF3dGUgRnJlZW1haWwgTWVtYmVyMR0wGwYJKoZIhvcNAQkBFg5kYXZlQGZ5b25uLm5ldDCC ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALV37S70FvBLzigYBYNcLSI6mKRp2MH7+k5h 28Tk78FDRrIgTD0gvABODQ7Iqc/eaAuN3iZ6MplgVdCnL1tIolNE+xeRAop8yT224RgBSwBxAwrT yDruf3TG0OrLs9hLvGHqkBgUVf7jiKP646Gy86AoaATLpD2D43dbUf/uJxiFJEhNauxgEJbL5UHu Im0vE5t7IejnKlpeVV6lppMcI8ZF2OsFb7TuCXfN05eef7xqIOmNG8YfNX5Sja+xLnvYFZqhy/HG tL1XbZqj530GBK9bbNL/bQ5Panw7h6eUKK92cXcM/z01jXgb+jtqLdKWu2H0iiOlyhEgJ8q6Fp9Y 8pUCAwEAAaMrMCkwGQYDVR0RBBIwEIEOZGF2ZUBmeW9ubi5uZXQwDAYDVR0TAQH/BAIwADANBgkq hkiG9w0BAQQFAAOBgQATQm5+ArByLY6kAHmYYPHYTHPay7bAlAJaRfGYZLh+zefKqMkD9IyceJjh SnVqdDgtx4g+h/exeskdgudr9rtcH4dzvE6PLQ3rEE0uTcNtl4ou7Ax+0FHk6R6Zl/Yg0sf78yfe 7Z76OjoD3hmvhaRyTlPin65LRd9picnphhuOqzCCAz8wggKooAMCAQICAQ0wDQYJKoZIhvcNAQEF BQAwgdExCzAJBgNVBAYTAlpBMRUwEwYDVQQIEwxXZXN0ZXJuIENhcGUxEjAQBgNVBAcTCUNhcGUg VG93bjEaMBgGA1UEChMRVGhhd3RlIENvbnN1bHRpbmcxKDAmBgNVBAsTH0NlcnRpZmljYXRpb24g U2VydmljZXMgRGl2aXNpb24xJDAiBgNVBAMTG1RoYXd0ZSBQZXJzb25hbCBGcmVlbWFpbCBDQTEr MCkGCSqGSIb3DQEJARYccGVyc29uYWwtZnJlZW1haWxAdGhhd3RlLmNvbTAeFw0wMzA3MTcwMDAw MDBaFw0xMzA3MTYyMzU5NTlaMGIxCzAJBgNVBAYTAlpBMSUwIwYDVQQKExxUaGF3dGUgQ29uc3Vs dGluZyAoUHR5KSBMdGQuMSwwKgYDVQQDEyNUaGF3dGUgUGVyc29uYWwgRnJlZW1haWwgSXNzdWlu ZyBDQTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAxKY8VXNV+065yplaHmjAdQRwnd/p/6Me 7L3N9VvyGna9fww6YfK/Uc4B1OVQCjDXAmNaLIkVcI7dyfArhVqqP3FWy688Cwfn8R+RNiQqE88r 1fOCdz0Dviv+uxg+B79AgAJk16emu59l0cUqVIUPSAR/p7bRPGEEQB5kGXJgt/sCAwEAAaOBlDCB kTASBgNVHRMBAf8ECDAGAQH/AgEAMEMGA1UdHwQ8MDowOKA2oDSGMmh0dHA6Ly9jcmwudGhhd3Rl LmNvbS9UaGF3dGVQZXJzb25hbEZyZWVtYWlsQ0EuY3JsMAsGA1UdDwQEAwIBBjApBgNVHREEIjAg pB4wHDEaMBgGA1UEAxMRUHJpdmF0ZUxhYmVsMi0xMzgwDQYJKoZIhvcNAQEFBQADgYEASIzRUIPq Cy7MDaNmrGcPf6+svsIXoUOWlJ1/TCG4+DYfqi2fNi/A9BxQIJNwPP2t4WFiw9k6GX6EsZkbAMUa C4J0niVQlGLH2ydxVyWN3amcOY6MIE9lX5Xa9/eH1sYITq726jTlEBpbNU1341YheILcIRk13iSx 0x1G/11fZU8xggLnMIIC4wIBATBpMGIxCzAJBgNVBAYTAlpBMSUwIwYDVQQKExxUaGF3dGUgQ29u c3VsdGluZyAoUHR5KSBMdGQuMSwwKgYDVQQDEyNUaGF3dGUgUGVyc29uYWwgRnJlZW1haWwgSXNz dWluZyBDQQIDC4YfMAkGBSsOAwIaBQCgggFTMBgGCSqGSIb3DQEJAzELBgkqhkiG9w0BBwEwHAYJ KoZIhvcNAQkFMQ8XDTA0MTAyNzIyMTgxNFowIwYJKoZIhvcNAQkEMRYEFInkUARDPLU+ub1uoa4k BS+/HlyMMHgGCSsGAQQBgjcQBDFrMGkwYjELMAkGA1UEBhMCWkExJTAjBgNVBAoTHFRoYXd0ZSBD b25zdWx0aW5nIChQdHkpIEx0ZC4xLDAqBgNVBAMTI1RoYXd0ZSBQZXJzb25hbCBGcmVlbWFpbCBJ c3N1aW5nIENBAgMLhh8wegYLKoZIhvcNAQkQAgsxa6BpMGIxCzAJBgNVBAYTAlpBMSUwIwYDVQQK ExxUaGF3dGUgQ29uc3VsdGluZyAoUHR5KSBMdGQuMSwwKgYDVQQDEyNUaGF3dGUgUGVyc29uYWwg RnJlZW1haWwgSXNzdWluZyBDQQIDC4YfMA0GCSqGSIb3DQEBAQUABIIBAGD3cE6hhUU9aq12oVQ4 DGfUS1AgR6u5AKQqXVCEO1IDEn4vlczzvWye0oQGDdFHUNradirJzZvk2UzcQZaN2Zy4iyzrFRNm Z6/BID7/ccmSq+KeZ3oEeMjHLDq+USQEq0kAG15FFHkVO3hiBLDUXywfGmO6lbUfd89LjlpQnd36 XRBUolhucVVWhH9fU7kWiBL1b9kiuOwh4+FfHCXFt6w5+OXoGExgesCuZNRD1dQj9CloUPL9reeY 7g3tAF/zVCno1vhCOypvjbvnbM/iYtv1QVKPT9vSDPcrws7rrGSanqkZzkctiunzO36PH1c4kBVE 4uFg4Yln4COx3Q5Qc1YAAAAAAAA= --Apple-Mail-18-349210026--