Date: Wed, 29 Mar 2006 12:12:26 +0200 From: Erik Norgaard <norgaard@locolomo.org> To: B H <bernt@bah.homeip.net> Cc: "freebsd-questions@FreeBSD. ORG" <freebsd-questions@freebsd.org> Subject: Re: IP Filter problems on 4.11-STABLE Message-ID: <442A5D8A.1020708@locolomo.org> In-Reply-To: <442A4E14.6090204@bah.homeip.net> References: <442A4E14.6090204@bah.homeip.net>
next in thread | previous in thread | raw e-mail | index | archive | help
B H wrote: > Now IPFilter does not work or is VERY slow, ssh, web and mail timesout. > > NAT is working like it should. > > # dmesg | grep 'IP Filter' > IP Filter: v3.4.35 initialized. Default = pass all, Logging = enabled > > ipf.rules looks like this: > > # Let clients behind the firewall send out to the internet, and replies to > # come back in by keeping state. > pass out quick on fxp0 proto tcp all keep state > pass out quick on fxp0 proto udp all keep state > pass out quick on fxp0 proto icmp all keep state > > # Since nothing should be coming from these address ranges, block them > block in log quick on fxp0 from 82.182.0.0/16 to any > block in quick on fxp0 from 192.168.0.0/16 to any > block in quick on fxp0 from 172.16.0.0/12 to any > block in quick on fxp0 from 10.0.0.0/8 to any > block in quick on fxp0 from 127.0.0.0/8 to any > block in quick on fxp0 from 192.0.2.0/24 to any > block in log quick on fxp0 from any to 10.0.0.0/32 > block in log quick on fxp0 from any to 10.0.0.255/32 1st: the last two rules have no effect at all, packets are caught in the 4th in-rule. You have nat? are you routing traffic? what is your network config (ifconfig)? from where to where are you trying to connect, from the box and out? Have you tried to sniff on the interface to see what traffic is coming in and going out? ipfilter not working is good (I mean it is easier to track down), ipfilter being slow is really difficult to debug. Erik -- Ph: +34.666334818 web: www.locolomo.org S/MIME Certificate: www.daemonsecurity.com/ca/8D03551FFCE04F06.crt Subject ID: 9E:AA:18:E6:94:7A:91:44:0A:E4:DD:87:73:7F:4E:82:E7:08:9C:72 Fingerprint: 5B:D5:1E:3E:47:E7:EC:1C:4C:C8:3A:19:CC:AE:14:F5:DF:18:0F:B9
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?442A5D8A.1020708>