Date: Fri, 17 Jun 2005 11:37:15 -0400 From: "fbsd_user" <fbsd_user@a1poweruser.com> To: "DH" <dhutch9999@yahoo.com>, <freebsd-questions@freebsd.org> Subject: RE: Vexing IPF problem Message-ID: <MIEPLLIBMLEEABPDBIEGCEBDHHAA.fbsd_user@a1poweruser.com> In-Reply-To: <20050617151245.75132.qmail@web33103.mail.mud.yahoo.com>
next in thread | previous in thread | raw e-mail | index | archive | help
1. Best thing is scrap your firewall rules and use the IPF rules listed in the firewall/ipfilter section of the official handbook. 2. There are a lot of spoof packets using port 80 on the public internet and that may be what you are seeing. -----Original Message----- From: owner-freebsd-questions@freebsd.org [mailto:owner-freebsd-questions@freebsd.org]On Behalf Of DH Sent: Friday, June 17, 2005 11:13 AM To: freebsd-questions@freebsd.org Subject: Vexing IPF problem I'm having a problem with IPF blocking packets that appear should be let through. I've sent quite a bit of time going through the Handbook, man pages, etc & I must be missing something so any help is greatly appriciated. uname -a freebsd 4.11-release #0 SMP kernel, dual PIII processor, 512 MB ECC RAM, SCSI HDs execerpt from rule set: Kernel compiled with "default allow" until I finish getting the ruleset rewritten. Rule #1 block in log from any to any pass in quick on lo0 pass out quick on lo0 block in log quick on fxp0 from any to any with ipopts block in log quick proto tcp from any to any with short ... pass in log first proto tcp from any to any port = 80 flags S keep state pass in log first proto tcp from any port = 80 to any flags S keep state pass out log first proto tcp from any to any port = 80 flags S keep state netstat -m = 129/576/16384 9% of mb_map in use Proxy Server - Squid 2.5.stable10 The behavior I'm seeing is out going connections to websites on port 80 are being passed but the in bound traffic is being blocked. The ipflog entries look like this: my ip = s theirs = d @0:390 p s.s.s.s,3601 -> d.d.d.d,80 PR tcp len 20 60 -S K-S OUT @0:1 b d.d.d.d,80 -> s.s.s.s,3601 PR tcp len 20 43 -AR IN Thanks in advance to those giving their time to lend a hand, I know you time is valuable. Please CC my address in your reply. David Hutchens III Network Technician --------------------------------- Yahoo! Sports Rekindle the Rivalries. Sign up for Fantasy Football _______________________________________________ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?MIEPLLIBMLEEABPDBIEGCEBDHHAA.fbsd_user>