From owner-freebsd-questions@FreeBSD.ORG Tue Feb 14 15:36:41 2006 Return-Path: X-Original-To: freebsd-questions@FreeBSD.org Delivered-To: freebsd-questions@FreeBSD.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B2BC916A420 for ; Tue, 14 Feb 2006 15:36:41 +0000 (GMT) (envelope-from fbsd_user@a1poweruser.com) Received: from mta9.adelphia.net (mta9.adelphia.net [68.168.78.199]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4B54F43D45 for ; Tue, 14 Feb 2006 15:36:41 +0000 (GMT) (envelope-from fbsd_user@a1poweruser.com) Received: from barbish ([69.172.31.117]) by mta9.adelphia.net (InterMail vM.6.01.05.02 201-2131-123-102-20050715) with SMTP id <20060214153640.MKCJ22902.mta9.adelphia.net@barbish>; Tue, 14 Feb 2006 10:36:40 -0500 From: "fbsd_user" To: "Maxim Vetrov" , Date: Tue, 14 Feb 2006 10:36:39 -0500 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.6604 (9.0.2911.0) In-Reply-To: <43F27C4D.9010904@mail.ru> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1409 Importance: Normal Cc: Subject: RE: IPFILTER rule error X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: fbsd_user@a1poweruser.com List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 14 Feb 2006 15:36:41 -0000 First of all you really need to read the ipfilter section of the FreeBSD handbook. The correct solution is exampled in the handbook. You do not need to compile ipfilter in to the kernel to work. >From your rules I see no need for that head/group stuff so remove it. I see rl0 being assigned to private ip address which means that Nic is facing your LAN which is behind your gateway box. That ip address range is not routable on the public internet. You have something mess up big time. Your firewall rules is suppose to be on the Nic facing the public internet. You nat the public ip address to you private LAN ip address. The reason you have no log records is because your firewall rules have syntax error and are never loaded. Only rules with log keyword will generate log records. Only use rules with quick option. Do not mix quick and non quick rules. You need pass in rules for you ISP's dns and dhcp servers to access your box. Explain in detail your network layout. Do you have LAN? How are you connected to the public internet? Again I strongly recommend you read the ipfilter section of the handbook your answers are there. -----Original Message----- From: owner-freebsd-questions@freebsd.org [mailto:owner-freebsd-questions@freebsd.org]On Behalf Of Maxim Vetrov Sent: Tuesday, February 14, 2006 7:57 PM To: freebsd-questions@FreeBSD.org Subject: Re: IPFILTER rule error Hi, Sorry, I really do not want you to guess! Here is what you asked: kernel conf: ------------------------------------------------------- ... options IPFILTER options IPFILTER_LOG #options IPFILTER_DEFAULT_BLOCK #options IPSTEALTH ... ------------------------------------------------------- rc.conf: ------------------------------------------------------- ... ifconfig_rl0="inet 10.0.1.1 netmask 255.255.255.248" ... ipnat_enable="YES" ipfilter_enable="YES" ipmon_enable="YES" ... ------------------------------------------------------- services: ------------------------------------------------------- ... sunrpc 111/tcp rpcbind #SUN Remote Procedure Call sunrpc 111/udp rpcbind #SUN Remote Procedure Call ... ------------------------------------------------------- ipf.rules: ------------------------------------------------------- block in log on rl0 all head 20 block out log on rl0 all head 25 pass in quick on rl0 \ proto tcp/udp from any to any port = sunrpc keep state group 20 pass in quick on rl0 \ proto tcp/udp from any to any port = 717 keep state group 20 pass out quick on rl0 \ proto udp from any to any port = 111 keep state group 20 -------------------------------------------------------- Steps to load the rules: >ipf -Fa >ipf -f /etc/ipf.rules 1:ioctl (add/insert rule): No such process And there is one more problem - despite that I have packet logging enabled by default (-Ds) through syslogd, log is empty! syslog.conf: -------------------------------------------------------- ... security.* /var/log/security ... -------------------------------------------------------- That file exists and have root rw permissions. If this help: after I'd moved to 6.0 from 5.4 (backup-format-install-restore), this config stopped to work. I know that I'm doing something wrong but what exactly? Regards, Muxas _______________________________________________ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org"