From owner-freebsd-questions@FreeBSD.ORG Wed Dec 2 13:50:50 2009 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C50261065672 for ; Wed, 2 Dec 2009 13:50:50 +0000 (UTC) (envelope-from asraikhn@gmail.com) Received: from mail-pw0-f44.google.com (mail-pw0-f44.google.com [209.85.160.44]) by mx1.freebsd.org (Postfix) with ESMTP id 9D7F88FC15 for ; Wed, 2 Dec 2009 13:50:50 +0000 (UTC) Received: by pwj15 with SMTP id 15so130955pwj.3 for ; Wed, 02 Dec 2009 05:50:50 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:date:message-id:subject :from:to:content-type; bh=Nrzz4iSFfEBLlvIjsbdTdIH3PxmeIQDqt8jAfNT0Ows=; b=GtxXS4vjpEn1/5jfnDpFKNe7KFSwzZzVmF6mgH+T7XiD7rDHtKBmKrQ7IHuWD338w4 KdcY0AgFvugmyptDgQfycGVZ4MFEMnv3X536UmONkbJtFYRdcw/VHvTB/lhtYeRuHj9X oeVvJgoN1cdSSQXqKNedFyEdbq50T2cCSLui4= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:date:message-id:subject:from:to:content-type; b=lEdE6CLlAm9DgrznWMesu4U5eclW94CmyuuXGYaOdfIbgwidKaa8x9nmLFBEMEa802 ZKpWvZHkWoR14alxIW3Y+5HtZOlr0hKfS34R758I762UKHPSbZ+ArEHkagtdFK4fo+BT 9O05Pnfsi8nmuzRxTHHjc+BuVmFpy7YNhtSaw= MIME-Version: 1.0 Received: by 10.114.18.33 with SMTP id 33mr257545war.51.1259760235040; Wed, 02 Dec 2009 05:23:55 -0800 (PST) Date: Wed, 2 Dec 2009 18:23:55 +0500 Message-ID: <5f0f8dba0912020523h1c41ae04ua781781f84dbea1e@mail.gmail.com> From: Asrai khn To: freebsd-questions@freebsd.org X-Mailman-Approved-At: Wed, 02 Dec 2009 14:18:01 +0000 Content-Type: text/plain; charset=ISO-8859-1 X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: Machine running ipf block TCP connections X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 02 Dec 2009 13:50:50 -0000 I have configured IPF based firewall on solaris 10, however for some reason which i do not understand the machine block all TCP connections after few hours of deploying the firewall rules. while blocked machine is not ping able nor I can SSH it, consequently i have to access it via console and have to disable the ipf. This machine is running Radius software and while machine blocking TCP connections UDP keep working which mean our dialup customers still able to dial our services. Below are the rules which I am using as far i can understand the 'keep state' thing is making the problem. # Pass through packets to and from localhost. pass out quick on lo0 pass in quick on lo0 # Allow a variety of individual hosts send any type of packet to this host. # pass in quick from xxx.xx.xxx.xxx/32 to any keep state pass in quick from xxx.xx.xxx.xxx/32 to any keep state # Allow all ICMP pass in quick proto icmp from any to any keep state # Allow all Radius pass in quick proto udp from any to any port = 1812 keep state pass in quick proto udp from any to any port = 1813 keep state # Allow FTP for mediation to collect files via FTP pass in quick proto tcp from 10.254.160.0/24 to any port = 20 keep state pass in quick proto tcp from 10.254.160.0/24 to any port = 21 keep state pass out quick from any to any keep state block in quick all ------------------- Any help will be highly appreciated, please reply me direct I am not subscribe to mailing list. Thanks.