Date: Wed, 29 Mar 2006 14:06:33 +0200 From: B H <bernt@bah.homeip.net> To: "freebsd-questions@FreeBSD. ORG" <freebsd-questions@freebsd.org> Subject: Re: IP Filter problems on 4.11-STABLE Message-ID: <442A7849.3060201@bah.homeip.net> In-Reply-To: <442A5D8A.1020708@locolomo.org> References: <442A4E14.6090204@bah.homeip.net> <442A5D8A.1020708@locolomo.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Erik Norgaard skrev:
> B H wrote:
>
>> Now IPFilter does not work or is VERY slow, ssh, web and mail timesout.
>>
>> NAT is working like it should.
>>
>> # dmesg | grep 'IP Filter'
>> IP Filter: v3.4.35 initialized. Default = pass all, Logging = enabled
>>
>> ipf.rules looks like this:
>>
>> # Let clients behind the firewall send out to the internet, and
>> replies to
>> # come back in by keeping state.
>> pass out quick on fxp0 proto tcp all keep state
>> pass out quick on fxp0 proto udp all keep state
>> pass out quick on fxp0 proto icmp all keep state
>>
>> # Since nothing should be coming from these address ranges, block them
>> block in log quick on fxp0 from 82.182.0.0/16 to any
>> block in quick on fxp0 from 192.168.0.0/16 to any
>> block in quick on fxp0 from 172.16.0.0/12 to any
>> block in quick on fxp0 from 10.0.0.0/8 to any
>> block in quick on fxp0 from 127.0.0.0/8 to any
>> block in quick on fxp0 from 192.0.2.0/24 to any
>> block in log quick on fxp0 from any to 10.0.0.0/32
>> block in log quick on fxp0 from any to 10.0.0.255/32
>
>
> 1st: the last two rules have no effect at all, packets are caught in the
> 4th in-rule.
Yes, I see that now.
> You have nat?
Yes, and it's working.
> are you routing traffic?
Yes.
> what is your network config (ifconfig)?
# ifconfig
rl0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
inet 10.0.0.1 netmask 0xff000000 broadcast 10.255.255.255
inet6 fe80::210:a7ff:fe0e:2ad9%rl0 prefixlen 64 scopeid 0x1
ether 00:10:a7:0e:2a:d9
media: Ethernet autoselect (100baseTX <full-duplex>)
status: active
fxp0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
inet 1.2.3.4 netmask 0xffffff00 broadcast 1.2.3.255
inet6 fe80::230:6eff:fe06:6990%fxp0 prefixlen 64 scopeid 0x2
ether 00:30:6e:06:69:90
media: Ethernet autoselect (100baseTX <full-duplex>)
status: active
lp0: flags=8810<POINTOPOINT,SIMPLEX,MULTICAST> mtu 1500
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x4
inet 127.0.0.1 netmask 0xff000000
ppp0: flags=8010<POINTOPOINT,MULTICAST> mtu 1500
sl0: flags=c010<POINTOPOINT,LINK2,MULTICAST> mtu 552
faith0: flags=8002<BROADCAST,MULTICAST> mtu 1500
> from where to where are you trying to connect,
From the outside and in.
> Have you tried to sniff on the interface to see what traffic is
> coming in and going out?
No.
> ipfilter not working is good (I mean it is easier to track down),
> ipfilter being slow is really difficult to debug.
>
> Erik
BH
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?442A7849.3060201>