From owner-freebsd-questions@FreeBSD.ORG Fri Feb 28 19:25:21 2014 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 89F0197E for ; Fri, 28 Feb 2014 19:25:21 +0000 (UTC) Received: from cosmo.uchicago.edu (cosmo.uchicago.edu [128.135.52.97]) by mx1.freebsd.org (Postfix) with ESMTP id 63D891D5E for ; Fri, 28 Feb 2014 19:25:21 +0000 (UTC) Received: by cosmo.uchicago.edu (Postfix, from userid 48) id 43A59CB8C97; Fri, 28 Feb 2014 13:07:41 -0600 (CST) Received: from 128.135.70.2 (SquirrelMail authenticated user valeri) by cosmo.uchicago.edu with HTTP; Fri, 28 Feb 2014 13:07:41 -0600 (CST) Message-ID: <15771.128.135.70.2.1393614461.squirrel@cosmo.uchicago.edu> Date: Fri, 28 Feb 2014 13:07:41 -0600 (CST) Subject: FreeBSD 10.0 ipfilter problem? From: "Valeri Galtsev" To: freebsd-questions@freebsd.org User-Agent: SquirrelMail/1.4.8-5.el5.centos.7 MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Priority: 3 (Normal) Importance: Normal X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list Reply-To: galtsev@kicp.uchicago.edu List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 28 Feb 2014 19:25:21 -0000 Dear All, After upgrading the first machine from FreeBSD 9.2-RELEASE to 10.0 I had strange problem with ipfilter. Well, I actually did fresh install, and the only what "upgrade" is related to is: I took /etc/ipf.riles that worked nicely on the same machine under FreeBSD 9.2-RELEASE without changing it and put it on 10.0 (and enabled ipfilter as usually). The problem manifested itself in ipfilter dropping majority of packets as "bad", which in case of scp (even outgoing one) led to connection stalled at about 500 kB of data passed... A quick glance at relevant variables: sysctl -a | grep ipf revealed that I don't see majority of them, including two of them that I'm used to tweak on busy boxes (I'm changing them in /usr/src/sys/contrib/ipfilter/netinet/ip_state.h actually): net.inet.ipf.fr_statesize: 65536 net.inet.ipf.fr_statemax: 65536 I tried to search and didn't find anybody mentioning my problem. (Somebody, please, teach me to search for something in all FreeBSD mail list archives!) So, finally I decided to make just a quick and dirty fix: I replaced /usr/src/sys/contrib/ipfilter /usr/src/sys//modules/ipfilter with the ones from FreeBSD 9.2-RELEASE, recompiled the kernel, rebooted, and that fixed my problem. I hope, this helps someone, but more importantly, I do have a question: is this just me doing something wrong so ipfilter stopped working for me on 10.0, or this is something that has to be fixed. Whom do we ask to fix ipfilter on FreeBSD 10.0? Thanks. Valeri ++++++++++++++++++++++++++++++++++++++++ Valeri Galtsev Sr System Administrator Department of Astronomy and Astrophysics Kavli Institute for Cosmological Physics University of Chicago Phone: 773-702-4247 ++++++++++++++++++++++++++++++++++++++++