From owner-freebsd-questions@FreeBSD.ORG Sat Aug 26 22:45:55 2006 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id AF7B516A85D for ; Sat, 26 Aug 2006 22:45:55 +0000 (UTC) (envelope-from keramida@ceid.upatras.gr) Received: from igloo.linux.gr (igloo.linux.gr [62.1.205.36]) by mx1.FreeBSD.org (Postfix) with ESMTP id AA96D44ACB for ; Sat, 26 Aug 2006 22:23:52 +0000 (GMT) (envelope-from keramida@ceid.upatras.gr) Received: from gothmog.pc (patr530-a075.otenet.gr [212.205.215.75]) (authenticated bits=128) by igloo.linux.gr (8.13.7/8.13.7/Debian-2) with ESMTP id k7QMJLiP027865 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Sun, 27 Aug 2006 01:19:24 +0300 Received: from gothmog.pc (gothmog [127.0.0.1]) by gothmog.pc (8.13.7/8.13.7) with ESMTP id k7QMJ4jl002840; Sun, 27 Aug 2006 01:19:05 +0300 (EEST) (envelope-from keramida@ceid.upatras.gr) Received: (from giorgos@localhost) by gothmog.pc (8.13.7/8.13.7/Submit) id k7QMJ4Fd002839; Sun, 27 Aug 2006 01:19:04 +0300 (EEST) (envelope-from keramida@ceid.upatras.gr) Date: Sun, 27 Aug 2006 01:19:04 +0300 From: Giorgos Keramidas To: "J.D. Bronson" Message-ID: <20060826221904.GD2666@gothmog.pc> References: <7.0.1.0.2.20060826150124.01982d10@sixcompanies.com> <20060826204015.GI1311@gothmog.pc> <7.0.1.0.2.20060826160530.01982d10@sixcompanies.com> <20060826220706.GC2666@gothmog.pc> <7.0.1.0.2.20060826170941.01982d10@sixcompanies.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <7.0.1.0.2.20060826170941.01982d10@sixcompanies.com> X-Hellug-MailScanner: Found to be clean X-Hellug-MailScanner-SpamCheck: not spam, SpamAssassin (score=-2.872, required 5, autolearn=not spam, AWL -0.27, BAYES_00 -2.60, UNPARSEABLE_RELAY 0.00) X-Hellug-MailScanner-From: keramida@ceid.upatras.gr X-Spam-Status: No Cc: freebsd-questions@freebsd.org Subject: Re: ipfilter on 6.1 X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 26 Aug 2006 22:45:55 -0000 On 2006-08-26 17:10, "J.D. Bronson" wrote: > At 05:07 PM 8/26/2006, Giorgos Keramidas wrote: > >Weird. This doesn't seem ot include *ANY* block rules at all. > > > >Is this a standard 6.1 installation, or do you have local IP Filter > >modifications (like, for instance, a modified 'default' rule which > >blocks everything, instead of allowing everything)? > > Yes and no. > > I did build a kernel with BLOCK as a default... > but my IPF rules are pass it all with no specific blocking... Well, there's your problem then. If you are using a modified kernel with "block" as the default action for IP Filter, hten you have to *EXPLICITLY* allow traffic to travese the loopback interface, which you haven't done. Your current "ipf.conf" includes: # Pass LAN traffic to/from bge0 pass in quick on bge0 all keep state keep frags pass out quick on bge0 all keep state keep frags # Pass traffic to WAN and keep state pass out quick on tun0 proto tcp all flags S keep state keep frags pass out quick on tun0 proto udp all keep state keep frags pass out quick on tun0 proto icmp all keep state keep frags Try reverting the local IP Filter changes that modify the default policy to "block" and use something like this instead: + # Block everything by default. + block in log from any to any + block out log from any to any + + # Allow everything on lo0. + pass in quick on lo0 from 127.0.0.1/32 to 127.0.0.1/32 + pass out quick on lo0 from 127.0.0.1/32 to 127.0.0.1/32 # Pass LAN traffic on bge0 interface. pass in quick on bge0 all keep state keep frags pass out quick on bge0 all keep state keep frags # Pass outgoing traffic to WAN and keep state pass out quick on tun0 proto tcp all flags S keep state keep frags pass out quick on tun0 proto udp all keep state keep frags pass out quick on tun0 proto icmp all keep state keep frags Please pay particular attention to the rules marked with '+' above. This may explain why in a previous post you wrote: On 2006-08-26 15:02, "J.D. Bronson" wrote: > Clients can use the machine (as a router) and get out perfectly! > No issues with network performance at all. I am very pleased...until... > > I found out that the router itself cant get out 100%. > > My ipconfig is basically this: > > bge0 - 10.43.82.174 > alias 10.43.82.171 - for bind9 views > alias 10.43.82.51 - for bind9 views > > bge1 - connected to dsl modem > > well I cant even telnet from the machine to itself! > 'destination unreachable' > > DNS requests from the server itself (to itself - it runs bind) are > unanswered yet it is able to fully answer requests from internal or > external clients...just not itself! > > If I use a public DNS server -or- use the IP of the machine I want to > connect up to, the router is able to get out and uses the correct IP. You are implicitly blocking all traffic on the lo0 interface (by the modified default policy to "block" all traffic, and missing an explicit rule to allow lo0 traffic). When a system tries to connect to itself, it uses lo0/127.0.0.1 and this is not possible with your setup. I hope this helps a bit, -- Giorgos