Site Navigation

Date:      Wed, 4 Jul 2001 12:29:40 -0700
From:      "Crist J. Clark" <cristjc@earthlink.net>
To:        questions@FreeBSD.ORG
Subject:   Re: ipf -y 'ing using user ppp
Message-ID:  <20010704122940.A696@blossom.cjclark.org>
In-Reply-To: <20010704122746.A2642@moo.holy.cow>; from parv_@yahoo.com on Wed, Jul 04, 2001 at 12:27:46PM -0400
References:  <PAELLGOEIMDLEJNEBOBOCEIACBAA.wyldephyre2@yahoo.com> <20010704032241.A1895@moo.holy.cow> <20010704012400.H1476@blossom.cjclark.org> <20010704122746.A2642@moo.holy.cow>

---

next in thread | previous in thread | raw e-mail | index | archive | help

---

On Wed, Jul 04, 2001 at 12:27:46PM -0400, parv wrote:
> so, Crist J. Clark shared this in my lifetime...

[snip]

> > That said, once I run ppp(8) once, I can bring the tun(4) interface up
> > and down as much as I wish and I never need to touch ipf(8) or
> > ipnat(8) again. No need for the '-y' option.
> 
> well, i have to do syncing once after reboot. after then, i can play
> w/ ppp, ifconfig, ipf as much i want w/o resyncing.
> 
> just curious, are your ipf rules "default block" type? or, do you 
> first block all the traffic (going in or out), then selectively let 
> the traffic pass? 

Default block. My whole ruleset,

  # Pass everything out of tun0
  block out all
  pass  out quick on lo0  all
  pass  out quick on dc0  all
  pass  out quick on tun0 proto tcp  all flags S/SA keep state keep frags
  pass  out quick on tun0 proto udp  all            keep state keep frags
  pass  out quick on tun0 proto icmp all            keep state keep frags
  pass  out quick on tun0 all

  # Pass lo0 and dc0, block the rest
  block in  log all
  pass  in  quick on lo0  all
  pass  in  quick on dc0  all
  # These are noisy, but harmless
  block in  quick on tun0 proto igmp from any to 224.0.0.1

> as i stated earlier, when the ipf rules weren't "default block", ppp
> was making connection, but not afterwords ... not w/o a "ipf -y".
> so, if your rules are not "default block", you may not have to 
> do the syncing. 

Default block. Always default block. IIRC, the problem was more with
ipnat(8) than ipf(8).
-- 
Crist J. Clark                           cjclark@alum.mit.edu

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message

---

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010704122940.A696>

Legal Notices | © 1995-2024 The FreeBSD Project. All rights reserved.

Contact