Date: Thu, 27 Jan 2000 01:01:39 +0200 From: Giorgos Keramidas <charon@hades.hell.gr> To: Kris Kennaway <kris@hub.freebsd.org> Cc: current@FreeBSD.ORG Subject: Re: ipfilter and ipfstat Message-ID: <20000127010139.A3331@hades.hell.gr> In-Reply-To: <Pine.BSF.4.21.0001252121590.55762-100000@hub.freebsd.org>; from kris@hub.freebsd.org on Tue, Jan 25, 2000 at 09:23:23PM -0800 References: <20000125051418.A62880@charon.hell.gr> <Pine.BSF.4.21.0001252121590.55762-100000@hub.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, Jan 25, 2000 at 09:23:23PM -0800, Kris Kennaway wrote:
> On Tue, 25 Jan 2000, the Webslave wrote:
>
> > > Okay, so I finally decided to take the plunge and check out ipfilter. ipf
> > > seemed to load my ruleset with no problems, but ipfstat dies with:
> > >
> > > ioctl(SIOCGETFS): Invalid argument
> >
> > And what would that ruleset be?
> >
>
> # Default to deny
> block in log on tun0 from any to any
[snip]
I have tested your ruleset in my ipf/ipfstat version. The one I have
comes from the 4.0-20000124-CURRENT snapshot, since I haven't had the
time to cvsup/make-world since. The results of the tests are shown
below, and as you can see ipfstat reports the rules correctly.
hades# ipf -FA
hades# cd /tmp
hades# ipf -f ipf.conf
hades# ipfstat -nio
@1 pass out quick on tun0 proto tcp/udp from any to any keep state
@2 pass out quick on tun0 proto icmp from any to any keep state
@3 pass out quick on lo0 from any to any
@1 block in log on tun0 from any to any
@2 block in quick on tun0 from 192.168.0.0/16 to any
@3 block in quick on tun0 from 172.16.0.0/12 to any
@4 block in quick on tun0 from 10.0.0.0/8 to any
@5 block in quick on tun0 from 127.0.0.0/8 to any
@6 pass in quick on tun0 proto tcp from any to any port = 12345 flags S/FSRPAU keep state keep frags
@7 pass in quick on tun0 proto udp from any to any port = 31337 keep state
@8 pass in quick on lo0 from any to any
hades# ipf -FA
hades# ipf -f /etc/ipf.conf
What version of ipfilter/ipfstat are you using? I don't now if
cvsup'ing your sources to a more recent version might help at all, but
I don't see a problem with these rules and ipfstat... I'm sorry if
that is not of any help to you, but I can't seem to find anything wrong
here :/
--
Giorgos Keramidas, < keramida @ ceid . upatras . gr >
"Don't let your schooling interfere with your education." [Mark Twain]
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-current" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20000127010139.A3331>