Date: Mon, 27 Feb 2006 16:50:11 +0200 From: Giorgos Keramidas <keramida@ceid.upatras.gr> To: Roman Serbski <mefystofel@gmail.com> Cc: freebsd-questions@freebsd.org Subject: Re: Help with IP Filter 4.1.8 Message-ID: <20060227145011.GA37745@flame.pc> In-Reply-To: <cca5083b0602270548s4147d332v5df89fdb9a0b7ccd@mail.gmail.com> References: <cca5083b0602260715w2f4a9e49o494f2f537afca2db@mail.gmail.com> <4402232A.8010908@locolomo.org> <cca5083b0602270548s4147d332v5df89fdb9a0b7ccd@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 2006-02-27 18:48, Roman Serbski <mefystofel@gmail.com> wrote:
>On 2/27/06, Erik N?rgaard <norgaard@locolomo.org> wrote:
>> Could you change your last rule to this:
>>
>> block in log quick on xl0 all
>>
>> and then tell what you see in the log. This would give some information
>> if any traffic is blocked in the first place. Actually, adding the log
>> keyword to all rules for the xl0 interface might be a good idea for
>> debugging.
>>
>> Also, is this the complete ruleset or did you remove rules you thought
>> were irrelevant? If so, then post the whole ruleset.
>
> Thank you. I removed 'flags' as it was suggested by Giorgos Keramidas
> but it didn't help.
>
> This is not the complete ruleset, I mean there are a lot of other
> rules, but I removed everything to be sure and left only outgoing
> 53/udp, 53/tcp. Once again, I checked this ruleset on 5.3-STABLE with
> ipf v3.4.35 (336) and it worked good.
>
> Adding the 'log' keyword produced the following record:
>
> xl0 @0:2 b XXX.XXX.XXX.XXX,53 -> YYY.YYY.YYY.YYY,60808 PR udp len 20 298 IN bad
>
> where XXX - is IP address of DNS server of ISP, and YYY is the server
> I'm running ipf on. There was a hit on a rule allowing outgoing 53/udp
> and it seems like the response from DNS server was blocked. Outgoing
> port number returned by YYY is always changing - on a second run it
> was 51212.
>
> Of course I can allow incoming connections to ports > 1024, but I
> really would like to understand why it was working with ipf v3.4.35
> and not with v4.1.8.
>
> Once again, thank you all for your help.
It looks like the stateful rule didn't succeed in creating a state for
the outgoing UDP packet:
pass out quick on lo0 from any to any
pass out quick on xl0 proto tcp from any to any port = domain flags S/FSRPAU keep state
=> pass out quick on xl0 proto udp from any to any port = domain keep state
block out log quick on xl0 all
I'm not sure why this would happen though.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20060227145011.GA37745>