From owner-freebsd-questions@FreeBSD.ORG Mon Feb 27 14:50:59 2006 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C121B16A420 for ; Mon, 27 Feb 2006 14:50:59 +0000 (GMT) (envelope-from keramida@ceid.upatras.gr) Received: from igloo.linux.gr (igloo.linux.gr [62.1.205.36]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0638643D48 for ; Mon, 27 Feb 2006 14:50:58 +0000 (GMT) (envelope-from keramida@ceid.upatras.gr) Received: from flame.pc (aris.bedc.ondsl.gr [62.103.39.226]) (authenticated bits=128) by igloo.linux.gr (8.13.5/8.13.5/Debian-3) with ESMTP id k1REohIf019916 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Mon, 27 Feb 2006 16:50:47 +0200 Received: from flame.pc (flame [127.0.0.1]) by flame.pc (8.13.4/8.13.4) with ESMTP id k1REoCdV037763; Mon, 27 Feb 2006 16:50:12 +0200 (EET) (envelope-from keramida@ceid.upatras.gr) Received: (from keramida@localhost) by flame.pc (8.13.4/8.13.4/Submit) id k1REoBF1037762; Mon, 27 Feb 2006 16:50:11 +0200 (EET) (envelope-from keramida@ceid.upatras.gr) Date: Mon, 27 Feb 2006 16:50:11 +0200 From: Giorgos Keramidas To: Roman Serbski Message-ID: <20060227145011.GA37745@flame.pc> References: <4402232A.8010908@locolomo.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: X-Hellug-MailScanner: Found to be clean X-Hellug-MailScanner-SpamCheck: not spam, SpamAssassin (score=-3.298, required 5, autolearn=not spam, ALL_TRUSTED -1.80, AWL 0.74, BAYES_00 -2.60, DNS_FROM_RFC_ABUSE 0.20, HOT_NASTY 0.16) X-Hellug-MailScanner-From: keramida@ceid.upatras.gr Cc: freebsd-questions@freebsd.org Subject: Re: Help with IP Filter 4.1.8 X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 27 Feb 2006 14:50:59 -0000 On 2006-02-27 18:48, Roman Serbski wrote: >On 2/27/06, Erik N?rgaard wrote: >> Could you change your last rule to this: >> >> block in log quick on xl0 all >> >> and then tell what you see in the log. This would give some information >> if any traffic is blocked in the first place. Actually, adding the log >> keyword to all rules for the xl0 interface might be a good idea for >> debugging. >> >> Also, is this the complete ruleset or did you remove rules you thought >> were irrelevant? If so, then post the whole ruleset. > > Thank you. I removed 'flags' as it was suggested by Giorgos Keramidas > but it didn't help. > > This is not the complete ruleset, I mean there are a lot of other > rules, but I removed everything to be sure and left only outgoing > 53/udp, 53/tcp. Once again, I checked this ruleset on 5.3-STABLE with > ipf v3.4.35 (336) and it worked good. > > Adding the 'log' keyword produced the following record: > > xl0 @0:2 b XXX.XXX.XXX.XXX,53 -> YYY.YYY.YYY.YYY,60808 PR udp len 20 298 IN bad > > where XXX - is IP address of DNS server of ISP, and YYY is the server > I'm running ipf on. There was a hit on a rule allowing outgoing 53/udp > and it seems like the response from DNS server was blocked. Outgoing > port number returned by YYY is always changing - on a second run it > was 51212. > > Of course I can allow incoming connections to ports > 1024, but I > really would like to understand why it was working with ipf v3.4.35 > and not with v4.1.8. > > Once again, thank you all for your help. It looks like the stateful rule didn't succeed in creating a state for the outgoing UDP packet: pass out quick on lo0 from any to any pass out quick on xl0 proto tcp from any to any port = domain flags S/FSRPAU keep state => pass out quick on xl0 proto udp from any to any port = domain keep state block out log quick on xl0 all I'm not sure why this would happen though.