From owner-freebsd-questions  Thu May 24 16:40: 9 2001
Delivered-To: freebsd-questions@freebsd.org
Received: from femail4.rdc1.on.home.com (femail4.rdc1.on.home.com [24.2.9.91])
	by hub.freebsd.org (Postfix) with ESMTP id 706DD37B423
	for <freebsd-questions@FreeBSD.org>; Thu, 24 May 2001 16:40:04 -0700 (PDT)
	(envelope-from jdugan21@home.com)
Received: from home.com ([24.150.168.25]) by femail4.rdc1.on.home.com
          (InterMail vM.4.01.03.20 201-229-121-120-20010223) with ESMTP
          id <20010524234004.MMNT19749.femail4.rdc1.on.home.com@home.com>
          for <freebsd-questions@FreeBSD.org>;
          Thu, 24 May 2001 16:40:04 -0700
Message-ID: <3B0D9C40.2763825B@home.com>
Date: Thu, 24 May 2001 19:41:52 -0400
From: Jeff Dugan <jdugan21@home.com>
X-Mailer: Mozilla 4.76 [en] (Windows NT 5.0; U)
X-Accept-Language: en
MIME-Version: 1.0
To: freebsd-questions@FreeBSD.org
Subject: IPFilter Troubles
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-questions.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo?subject=subscribe%20freebsd-questions>
List-Unsubscribe: <mailto:majordomo?subject=unsubscribe%20freebsd-questions>
X-Loop: FreeBSD.ORG


I'm having some troubles with the IPFILTER_DEFAULT_BLOCK kernel option.

When i try to ping either internal (ed0) or external (xl0) hostnames, i
get.....
# ping myhost
PING myhost.mynet.org (192.168.24.1): 56 data bytes
ping: sendto: No route to host.  (x3)
^C
--- myhost.mynet.org ping statistics ---
3 packets transmitted, 0 packets received, 100% packet loss

if i ping extHost....same result.
if i ping anything else,...it works fine !

When i compile my kernel without IPFILTER_DEFAULT_BLOCK, the problem is
solved (obviously)
Since it is far better to deny-first open-later than it is to open-first
deny-later, I am in need of assistance.

I initially thought that this was a problem with my rules, so I tried
opening everything, that did not work.
I've tried soooo many combinations it not even funny!  I tired modifying
the ipnat mapping,...
I sent my rules (ipf & ipnat) to a colleague running IPF,..they work
great on his system.

That colleague suggested running router="routed" router_flags="-s"
router_enabled="YES", but this did not solve the prob,....
Another suggested using the < option BRIDGE  and option IPSTEALTH > in
the kernel, but that didn't work....

Any suggestions ?

________________________
jeff dugan


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message