From owner-freebsd-questions@FreeBSD.ORG Wed Mar 29 10:12:31 2006 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6A53D16A400 for ; Wed, 29 Mar 2006 10:12:31 +0000 (UTC) (envelope-from norgaard@locolomo.org) Received: from strange.daemonsecurity.com (59.Red-81-33-11.staticIP.rima-tde.net [81.33.11.59]) by mx1.FreeBSD.org (Postfix) with ESMTP id E0EE243D48 for ; Wed, 29 Mar 2006 10:12:30 +0000 (GMT) (envelope-from norgaard@locolomo.org) Received: from [172.24.8.84] (generic.atosorigin.es [212.170.156.200]) by strange.daemonsecurity.com (Postfix) with ESMTP id 5E4432E041; Wed, 29 Mar 2006 12:12:37 +0200 (CEST) Message-ID: <442A5D8A.1020708@locolomo.org> Date: Wed, 29 Mar 2006 12:12:26 +0200 From: Erik Norgaard User-Agent: Thunderbird 1.5 (X11/20060118) MIME-Version: 1.0 To: B H References: <442A4E14.6090204@bah.homeip.net> In-Reply-To: <442A4E14.6090204@bah.homeip.net> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Cc: "freebsd-questions@FreeBSD. ORG" Subject: Re: IP Filter problems on 4.11-STABLE X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 29 Mar 2006 10:12:31 -0000 B H wrote: > Now IPFilter does not work or is VERY slow, ssh, web and mail timesout. > > NAT is working like it should. > > # dmesg | grep 'IP Filter' > IP Filter: v3.4.35 initialized. Default = pass all, Logging = enabled > > ipf.rules looks like this: > > # Let clients behind the firewall send out to the internet, and replies to > # come back in by keeping state. > pass out quick on fxp0 proto tcp all keep state > pass out quick on fxp0 proto udp all keep state > pass out quick on fxp0 proto icmp all keep state > > # Since nothing should be coming from these address ranges, block them > block in log quick on fxp0 from 82.182.0.0/16 to any > block in quick on fxp0 from 192.168.0.0/16 to any > block in quick on fxp0 from 172.16.0.0/12 to any > block in quick on fxp0 from 10.0.0.0/8 to any > block in quick on fxp0 from 127.0.0.0/8 to any > block in quick on fxp0 from 192.0.2.0/24 to any > block in log quick on fxp0 from any to 10.0.0.0/32 > block in log quick on fxp0 from any to 10.0.0.255/32 1st: the last two rules have no effect at all, packets are caught in the 4th in-rule. You have nat? are you routing traffic? what is your network config (ifconfig)? from where to where are you trying to connect, from the box and out? Have you tried to sniff on the interface to see what traffic is coming in and going out? ipfilter not working is good (I mean it is easier to track down), ipfilter being slow is really difficult to debug. Erik -- Ph: +34.666334818 web: www.locolomo.org S/MIME Certificate: www.daemonsecurity.com/ca/8D03551FFCE04F06.crt Subject ID: 9E:AA:18:E6:94:7A:91:44:0A:E4:DD:87:73:7F:4E:82:E7:08:9C:72 Fingerprint: 5B:D5:1E:3E:47:E7:EC:1C:4C:C8:3A:19:CC:AE:14:F5:DF:18:0F:B9