Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 17 Jun 2005 16:38:23 +0100 (BST)
From:      John Conner <johnc2kk@yahoo.co.uk>
To:        freebsd-questions@freebsd.org
Subject:   Re: Vexing IPF problem
Message-ID:  <20050617153823.18974.qmail@web26905.mail.ukl.yahoo.com>
In-Reply-To: <20050617151245.75132.qmail@web33103.mail.mud.yahoo.com>

next in thread | previous in thread | raw e-mail | index | archive | help
Hello David,

Im not expert on IPF but on first inspeciton it would
look like the problem is in your first fxp0 rule:

block in log quick on fxp0 from any to any with ipopts

To the best of my knowledge when quick is added the
firewall does not look at any of the other rules. If
this is the case having quick in the above rule would
cause the firewall to block every incoming packet.
Hope this helps

John

--- DH <dhutch9999@yahoo.com> wrote:

> I'm having a problem with IPF blocking packets that
> appear should be let through.
>  
> I've sent quite a bit of time going through the
> Handbook, man pages, etc & I must be missing
> something so any help is greatly appriciated.
>  
> uname -a freebsd 4.11-release #0
>  
> SMP kernel, dual PIII processor, 512 MB ECC RAM,
> SCSI HDs
>  
> execerpt from rule set:
>  
> Kernel compiled with "default allow" until I finish
> getting the ruleset rewritten.
>  
> Rule #1 block in log from any to any
>  
> pass in quick on lo0
> pass out quick on lo0
>  
> block in log quick on fxp0 from any to any with
> ipopts
> block in log quick proto tcp from any to any with
> short
> ...
> pass in log first proto tcp from any to any port =
> 80 flags S keep state
> pass in log first proto tcp from any port = 80 to
> any flags S keep state
> pass out log first proto tcp from any to any port =
> 80 flags S keep state
>  
>  
> netstat -m = 129/576/16384
> 9% of mb_map in use
>  
> Proxy Server - Squid 2.5.stable10
>  
>  
> The behavior I'm seeing is out going connections to
> websites on port 80 are being passed
> but the in bound traffic is being blocked.  The
> ipflog entries look like this:
>  
>  
> my ip = s   theirs = d
>  
> @0:390 p s.s.s.s,3601 -> d.d.d.d,80 PR tcp len 20 60
> -S K-S OUT
>  
> @0:1 b d.d.d.d,80 -> s.s.s.s,3601 PR tcp len 20 43
> -AR IN
>  
>  
>   
> Thanks in advance to those giving their time to lend
> a hand, I know you time is valuable.
>  
> Please CC my address in your reply.
>  
> David Hutchens III
> Network Technician
>  
>  
>  
> 
> 		
> ---------------------------------
> Yahoo! Sports
>  Rekindle the Rivalries. Sign up for Fantasy
> Football
> _______________________________________________
> freebsd-questions@freebsd.org mailing list
>
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to
> "freebsd-questions-unsubscribe@freebsd.org"
> 


	
	
		
___________________________________________________________ 
Yahoo! Messenger - NEW crystal clear PC to PC calling worldwide with voicemail http://uk.messenger.yahoo.com



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20050617153823.18974.qmail>