Date: Thu, 22 Jan 2015 10:10:46 +0300 From: Odhiambo Washington <odhiambo@gmail.com> To: Ernie Luzar <luzar722@gmail.com> Cc: Shane Ambler <freebsd@shaneware.biz>, User Questions <freebsd-questions@freebsd.org>, galtsev@kicp.uchicago.edu Subject: Re: IPFilter & FreeBSD-10.1 Message-ID: <CAAdA2WP4Yh0xUFXTAchD0LgkM-d0SsCo7H-8HLNoyT=Sv3k%2BrQ@mail.gmail.com> In-Reply-To: <54C0510C.8070408@gmail.com> References: <CAAdA2WMudfd0J9RP_3UL%2BEMC8Vh3Crks8c-6U5f7AQMBSR0XJQ@mail.gmail.com> <CAOc73CCsrnqskLJKFbQH2W-EYH7yi=AXiSKw8jLYz0O35spJ5g@mail.gmail.com> <CAAdA2WOeiEv2opf4ZMDAf=LvC5TUCbC8%2BAeE0ecf7Ac%2B=jQ1-w@mail.gmail.com> <54BF7050.90605@ShaneWare.Biz> <CAAdA2WPr4jjdS3MiuNkuG2JQCA_LAaSndhe=cRxiSHVf9o_yRw@mail.gmail.com> <51264.128.135.70.2.1421883154.squirrel@cosmo.uchicago.edu> <54C0510C.8070408@gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 22 January 2015 at 04:23, Ernie Luzar <luzar722@gmail.com> wrote: > Valeri Galtsev wrote: > >> On Wed, January 21, 2015 3:29 am, Odhiambo Washington wrote: >> >> >>> Hi Shane, >>> >>> Where is the new syntax documented? Or I just have to 'man ipf'? I'd love >>> to see a web discussion about it, which I obviously missed. >>> >>> Is there a sort of rule converter? :-) >>> >>> Thank you for mentioning this syntax thing. Must be the one that was >>> biting >>> me on 10.1 >>> >>> >>> >>> On 21 January 2015 at 12:24, Shane Ambler <FreeBSD@shaneware.biz> wrote: >>> >>> >>> >>>> On 21/01/2015 16:15, Odhiambo Washington wrote: >>>> >>>> >>>> >>>>> Hi Ben, >>>>> >>>>> Thanks for this. I actually read this bit of it having been updated to >>>>> version 5.1.2 in FreeBSD 10.0. >>>>> >>>>> However, my problem emanated from the fact that rules that I use on >>>>> FreeBSD-8.4/9.3 simply could not work on 10.1 >>>>> >>>>> I simply carried the rules over, and did not compile a custom kernel on >>>>> 10.1. I was believing that the module will be automatically loaded and >>>>> rules would work. They didn't! Only 'ipf -D' would let connections to >>>>> be >>>>> made from LAN PCs to my gateway PC.. >>>>> >>>>> >>>>> >>>> I read a post in which someone had to copy the sources from 9.x to 10.x >>>> >>>> >>>>> and >>>>> recompile in order to get it to work with the rules from 9.x >>>>> >>>>> >>>>> >>>> The update from 4.1.28->5.1.2 may include changes that requires >>>> adjusting old rules to the new syntax. >>>> >>>> While going back to an older version can get your old settings to work >>>> again it also removes any security fixes from the update. Updating your >>>> ruleset would be a better solution. >>>> >>>> >>>> -- >>>> FreeBSD - the place to B...Software Developing >>>> >>>> Shane Ambler >>>> >>>> >>>> >>> >> I wonder if anyone knows URl of official website of ipfilter. Both project >> info on sourceforge (http://sourceforge.net/projects/ipfilter/) and >> wikipedia page (https://en.wikipedia.org/wiki/IPFilter) point at the >> place >> which apparently doesn't exist so you end up getting just front page of >> the university: http://asiapacific.anu.edu.au/ ... >> >> One does want to read the documentation to be able to keep using ipfilter >> on FreBSD 10.x (as one did on FreeBSD 9.x in the past). And with syntax >> changed, one does have to read Documentation (and here brilliant FreeBSD >> documentation seems to be outdated...) >> >> Thanks a lot for your answers! >> >> Valeri >> >> >> >> > I moved my 8 production machines from 9.2 to 10.1 and my 9.2 IPFilter > rules worked > just fine on 10.1. It also has a private LAN and users can reach the > public network. > Matter of fact I have been using the same IPF rules since version 3.4. > > I find it hard to believe that as popular as IPFilter is no one else has > voiced any problems about it. > Your problem is a major show stopper and should be effecting ALL IPFilter > users if it was a IPF software > or 10.1 bug. > > IPFilter does not have any syntax chances. I pretty much use the IPF rule > set as shown in the handbook. > On the other hand PF does have major syntax differences between the old > back version FreeBSD is running and > the current version openbsd documentation shows. Maybe PF-IPF is what the > previous poster was confused over. > > Rest assured, IPFiter does work on 10.1. Something changed on your system. > Check all the basic IPF config files. > Lan not reaching pubic network may mean your ipf.nat file is missing or > codded wrong. > The same rules which refused to work on 10.1 are working on 9.3. All I had to change were the interface names and the IP subnets. Trust me I verified and ensured that I did not mix up the names. If you want, I am willing to give someone access to my box to try and get this to work. -- Best regards, Odhiambo WASHINGTON, Nairobi,KE +254733744121/+254722743223 "I can't hear you -- I'm using the scrambler."
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAAdA2WP4Yh0xUFXTAchD0LgkM-d0SsCo7H-8HLNoyT=Sv3k%2BrQ>