Date: Sat, 25 Apr 2009 16:19:34 +0200 From: =?ISO-8859-1?Q?Jonas_B=FClow?= <freebsd@jongel.net> To: FreeBSD-stable@FreeBSD.org Subject: ipfilter seems to be broken on 7.2-PRERELEASE as of April 25:th 2009. Message-ID: <196E4005-25E9-4C46-99BD-8F717849703F@jongel.net>
next in thread | raw e-mail | index | archive | help
Hi, Today I updated one of my servers tracking freebsd 7-stable. (7.2- PRERELEASE #3: Sat Apr 25 10:01:00 CEST 2009). After reboot it was not reachable from the network. After some troubleshooting I found that ipfilter seems to be the problem. Returning traffic originating from my host (XXX) is blocked: Apr 25 15:15:23 jongel ipmon[624]: 15:15:23.766972 fxp0 @0:1 b 193.13.15.11,53 -> 10.1.0.254,62539 PR udp len 20 72 IN bad NAT Apr 25 15:15:23 jongel ipmon[624]: 15:15:23.804447 fxp0 @0:1 b 193.13.15.11,53 -> 10.1.0.254,57266 PR udp len 20 534 IN bad NAT Comparing the ipfilter-log from before the upgrade, there were no "IN bad NAT" log entries before the upgrade. My active ipfilter rules are: block in log on fxp0 all pass out quick on fxp0 proto tcp from XXX/32 to any flags S/SAFR keep state pass out quick on fxp0 proto udp from XXX/32 to any keep state pass out quick on fxp0 proto icmp from XXX/32 to any keep state My NAT rules are: map fxp0 10.1.0.0/24 -> XXX/32 proxy port ftp ftp/tcp map fxp0 10.1.0.0/24 -> XXX/32 portmap tcp/udp 1025:65500 map fxp0 10.1.0.0/24 -> XXX/32 Anyone seen this behaviour? Regards, Jonas
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?196E4005-25E9-4C46-99BD-8F717849703F>