From owner-freebsd-stable Tue Sep 17 0: 2:41 2002 Delivered-To: freebsd-stable@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 236F937B419 for ; Tue, 17 Sep 2002 00:02:39 -0700 (PDT) Received: from web14102.mail.yahoo.com (web14102.mail.yahoo.com [216.136.172.132]) by mx1.FreeBSD.org (Postfix) with SMTP id ED5EE43E88 for ; Tue, 17 Sep 2002 00:02:22 -0700 (PDT) (envelope-from cguttesen@yahoo.dk) Message-ID: <20020917070216.13572.qmail@web14102.mail.yahoo.com> Received: from [193.212.28.146] by web14102.mail.yahoo.com via HTTP; Tue, 17 Sep 2002 09:02:16 CEST Date: Tue, 17 Sep 2002 09:02:16 +0200 (CEST) From: =?iso-8859-1?q?Claus=20Guttesen?= Subject: Re: Problems with ipfilter 3.4.29 under -STABLE (post 31/08/2002) To: Robin Breathe , freebsd-questions@freebsd.org Cc: freebsd-stable@freebsd.org In-Reply-To: <000201c25db0$acfd64b0$026ca8c0@ishadow> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Sender: owner-freebsd-stable@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Hi. --- Robin Breathe skrev: > Hi all, > > I'm interested to know if anyone is successfully > running ipf/ipnat under > -STABLE from after the merge on the 31st of August I have installed stable 4.6.2 and did a cvsup on sept. 8-9'th of Sept. and did a make world and make kernel on a custom-kernel without ipfilter compiled into the kernel. Loaded ipfilter as a kernel-module and it worked fine. > I have found that my existing rulesets fail with the > new code. ipf > blocks everything, and ipnat doesn't do NAT. My > rules are at > http://isometry.net/freebsd/ipfilter/, and they've > worked flawlessly > with previous versions of ipfilter, in particular Decided to compile ipfilter into the kernel and nothing appeared to work. So I removed it again from the kernel and reverted to use ipfilter as a loadable module instead. Works with NAT but does seem to have some issues related to passive ftp from our inside network out to the internet. The connection breaks after 60 secs. I have 'pass out tcp port 21 keep state' etc. in my config-file, but that doesn't seem to work as intended. Tried to enable active ftp by adding the 'map ep0 0/0 -> 0/32 proxy port 21 ftp/tcp' statement into my ipnat-config-file. But not shure whether I got it wrong or not. > I am trying to work out whether the problem lies > with the recent merge > of ipfilter 3.4.29, or with my config. And from all > the testing I've > been able to do, the problem seems to lie with > ipfilter. Other people's > experiences with the new code would be greatly > appreciated. Can't dig too much into the ftp-issue since I need to test traffic-shaping (will use IPFW for that purpose) and lots of other stuff my boss wants me to do. I'll do another make world/kernel when 4.7 has been out for a week or so to see whether ftp works or not. Cheers Claus Få den nye Yahoo! Messenger på www.yahoo.dk/messenger Nu med webkamera, talechat, interaktive baggrunde og meget mere! To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message