From owner-freebsd-stable Sun May 5 15:53:45 2002 Delivered-To: freebsd-stable@freebsd.org Received: from mail.liwing.de (mail.liwing.de [213.70.188.162]) by hub.freebsd.org (Postfix) with ESMTP id E554C37B406 for ; Sun, 5 May 2002 15:53:38 -0700 (PDT) Received: (qmail 1351 invoked from network); 5 May 2002 23:02:56 -0000 Received: from stingray.liwing.de (HELO liwing.de) ([213.70.188.164]) (envelope-sender ) by mail.liwing.de (qmail-ldap-1.03) with SMTP for ; 5 May 2002 23:02:56 -0000 Message-ID: <3CD5B662.26298116@liwing.de> Date: Mon, 06 May 2002 00:46:58 +0200 From: Jens Rehsack Organization: LiWing IT-Services X-Mailer: Mozilla 4.78 [en] (Windows NT 5.0; U) X-Accept-Language: en MIME-Version: 1.0 To: "Karsten W. Rohrbach" Cc: Michael Riexinger , freebsd-stable@freebsd.org Subject: Re: ipfilter problem References: <20020504223450.GA1025@grind.grind.dom> <20020505152314.B73550@mail.webmonster.de> <20020505133204.GA667@grind.grind.dom> <20020505184630.A76286@mail.webmonster.de> Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Sender: owner-freebsd-stable@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG "Karsten W. Rohrbach" wrote: > > Michael Riexinger(mailinglists@grindking.de)@2002.05.05 15:32:04 +0000: > > On Sun May 5 15:23:14 2002, Karsten W. Rohrbach wrote: > > > the problem can only be analyzed efficiently if you show us the rest of > > > the ruleset. anything else is pure guesswork, based on assumptions about > > > your ipf configuration. > > > > > > regards, > > > /k > > Ok, here they are. But I wonder why it worked withot problems with > > previous versions of FreeBSD/ipfilter. With netstat I can see FIN_WAIT_1 > > states to the newsserver. > > (tcp4 0 0 dialin-212-144-1.49368 news.fu-berlin.d.nntp > > FIN_WAIT_1) > > > > > > pass in quick on lo0 all > > pass out quick on lo0 all > > > > pass in quick on ed0 all > > pass out quick on ed0 all > > > > pass out quick on isp0 proto tcp/udp from any to any keep state > > pass out quick on isp0 proto tcp from any to any flags S/SA keep state > pass out quick on isp0 proto udp from any to any keep state I don't use the flags, but my ruleset works. But I have seen many times (others and me, too) that being confused about the "last rule match" and the "quick leaves promptly" behaviour. I do following: I write all global rules at the top of the file/section, in this case the 3 lines with "return-unr". Then I specialize in the next lines using "quick" rules. This works, if I do not write it after the 4th beer. But sometimes even then ;-) Jens > > instead of the above one line should work. if it doesn't then give me a > slap on the head, i'm still a bit drunk from yesterday ;-) > > > pass out quick on isp0 proto icmp from any to any keep state > > > > pass in quick on isp0 proto tcp from any to any port = 80 > > pass in quick on isp0 proto tcp from any to any port = 60000 > > > > block return-icmp-as-dest(host-unr) in log quick on isp0 proto icmp from > > any to any > > block return-rst in log quick on isp0 proto tcp from any to any > > block return-icmp(port-unr) in log quick on isp0 proto udp from any to > > any > > > > 'ipfstat -s' on your box will tell you about state statistics. > > when you reload your rule set for testing, you should invoke it like > 'ipf -Fa -FS -f/etc/ipf.rules' or similar, just to kick out the old > state table. > > 'ipfstat -t' gives you a "top" style display of current states, so you > can check them in realtime. > > regards, > /k > > -- > > MCSE: Minesweeper Consultant & Solitaire Engineer > WebMonster Community Project -- Next Generation Networks GmbH -- All on BSD > http://www.webmonster.de/ -- ftp://ftp.webmonster.de/ -- http://www.ngenn.net/ > GnuPG: 0xDEC948A6 D/E BF11 83E8 84A1 F996 68B4 A113 B393 6BF4 DEC9 48A6 > REVOKED: 0x2964BF46 D/E 42F9 9FFF 50D4 2F38 DBEE DF22 3340 4F4E 2964 BF46 > REVOKED: 0x4C44DA59 RSA F9 A0 DF 91 74 07 6A 1C 5F 0B E0 6B 4D CD 8C 44 > My mail is GnuPG signed -- Unsigned ones are bogus -- http://www.gnupg.org/ > Please do not remove my address from To: and Cc: fields in mailing lists. 10x > > ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- > Part 1.2Type: application/pgp-signature -- L i W W W i Jens Rehsack L W W W L i W W W W i nnn gggg LiWing IT-Services L i W W W W i n n g g LLLL i W W i n n g g Friesenstraße 2 gggg 06112 Halle g g g Tel.: +49 - 3 45 - 5 17 05 91 ggg e-Mail: Fax: +49 - 3 45 - 5 17 05 92 http://www.liwing.de/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message