From owner-freebsd-pf@FreeBSD.ORG  Mon Jun 20 15:27:06 2005
Return-Path: <owner-freebsd-pf@FreeBSD.ORG>
X-Original-To: freebsd-pf@freebsd.org
Delivered-To: freebsd-pf@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 32A9416A41F
	for <freebsd-pf@freebsd.org>; Mon, 20 Jun 2005 15:27:06 +0000 (GMT)
	(envelope-from dhutch9999@yahoo.com)
Received: from web33114.mail.mud.yahoo.com (web33114.mail.mud.yahoo.com
	[68.142.206.95]) by mx1.FreeBSD.org (Postfix) with SMTP id E712843D49
	for <freebsd-pf@freebsd.org>; Mon, 20 Jun 2005 15:27:05 +0000 (GMT)
	(envelope-from dhutch9999@yahoo.com)
Received: (qmail 46974 invoked by uid 60001); 20 Jun 2005 15:27:05 -0000
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com;
	h=Message-ID:Received:Date:From:Subject:To:MIME-Version:Content-Type:Content-Transfer-Encoding;
	b=CWFLekCMYxYMctfOkgkNE/GAchn8YORxC5RTOFJ7erBep6JJVJZRTw7cCTpedYB12rUGpFq96mqMexjIp00vjTSGlut/RZFLiRckQdIljTw82dJKpDnOvu8OrD6BoLdgmB94/l0lN0XmWpB/YfYWTaOT4x0sbe63O6EUIbJ2q88=
	; 
Message-ID: <20050620152705.46972.qmail@web33114.mail.mud.yahoo.com>
Received: from [12.153.72.219] by web33114.mail.mud.yahoo.com via HTTP;
	Mon, 20 Jun 2005 08:27:05 PDT
Date: Mon, 20 Jun 2005 08:27:05 -0700 (PDT)
From: DH <dhutch9999@yahoo.com>
To: freebsd-pf@freebsd.org
MIME-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: 8bit
X-Content-Filtered-By: Mailman/MimeDel 2.1.5
Subject: Vexing IPF problem
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
	\(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 20 Jun 2005 15:27:06 -0000

I posted this on freebsd-questions last week & unfortunately the folks who rsvp'd did not have a solution so I've posted to this forum.
 
 
I'm having a problem with IPF blocking packets that appear should be let through.
 
I've sent quite a bit of time going through the Handbook, man pages, etc & I must be missing something so any help is greatly appriciated.
 
uname -a freebsd 4.11-release #0
 
SMP kernel, dual PIII processor, 512 MB ECC RAM, SCSI HDs
 
execerpt from rule set:
 
Kernel compiled with "default allow" until I finish getting the rule set rewritten.
 
Rule #1 block in log from any to any
 
pass in quick on lo0
pass out quick on lo0
 
block in log quick on fxp0 from any to any with ipopts
block in log quick proto tcp from any to any with short
...
pass in log first proto tcp from any to any port = 80 flags S keep state
pass in log first proto tcp from any port = 80 to any flags S keep state
pass out log first proto tcp from any to any port = 80 flags S keep state
 
 
netstat -m = 129/576/16384
9% of mb_map in use
 
Proxy Server - Squid 2.5.stable10
 
 
The behavior I'm seeing is out going connections to websites on port 80 are being passed
but the in bound traffic is being blocked.  The ipflog entries look like this:
 
 
my ip = s   theirs = d
 
@0:390 p s.s.s.s,3601 -> d.d.d.d,80 PR tcp len 20 60 -S K-S OUT
 
@0:1 b d.d.d.d,80 -> s.s.s.s,3601 PR tcp len 20 43 -AR IN
 
 

Thanks in advance to those giving their time to lend a hand, I know you time is valuable.
 
Please CC my address in your reply.
 
David Hutchens III
Network Technician
 
 
 


---------------------------------
Yahoo! Sports
Rekindle the Rivalries. Sign up for Fantasy Football 



David Hutchens III
Network Technician
DRS Surveillance Support Systems - A division of DRS Technologies.
__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com