Date: Mon, 06 Mar 2006 13:07:26 +0100 From: Erik Norgaard <norgaard@locolomo.org> To: Roman Serbski <mefystofel@gmail.com> Cc: freebsd-questions@freebsd.org Subject: Re: Help with IP Filter 4.1.8 Message-ID: <440C25FE.6050401@locolomo.org> In-Reply-To: <cca5083b0602271945q5ef76163m5712a386e3eb3008@mail.gmail.com> References: <cca5083b0602260715w2f4a9e49o494f2f537afca2db@mail.gmail.com> <4402232A.8010908@locolomo.org> <cca5083b0602270548s4147d332v5df89fdb9a0b7ccd@mail.gmail.com> <44031DC4.6060804@locolomo.org> <cca5083b0602271945q5ef76163m5712a386e3eb3008@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Roman Serbski wrote: > My ruleset consists of only 6 rules: > > pass out quick on lo0 from any to any > pass out quick on xl0 proto tcp from any to any port = domain flags > S/FSRPAU keep state > pass out quick on xl0 proto udp from any to any port = domain keep state > block out log quick on xl0 all > pass in quick on lo0 from any to any > block in quick on xl0 all Your rules look ok, this is a strange problem. > The rule # 2 which was blocking reply from DNS server is 'block in > quick on xl0 all'. > > Adding 'log' keyword to the rule allowing outgoing 53/udp gives the following: > > xl0 @0:3 p YYY.YYY.YYY.YYY,50359 -> XXX.XXX.XXX.XXX,53 PR udp len 20 57 K-S OUT > > So outgoing 53/udp was successfully passed through, but incoming reply > was blocked again: > > xl0 @0:2 b XXX.XXX.XXX.XXX,53 -> YYY.YYY.YYY.YYY,50359 PR udp len 20 298 IN bad > > Yes, I also tried another DNS server - same results. ok > I think this is more ipf issue, so I'll try to ask for assistance in > ipf maling list, I was just thinking if someone else has faced with > the similar problem during upgrade from ipf v3.4.35 to v4.1.8. Ok, here are some things to try: 1) Other udp services, are responces also blocked? you can for example try ntp. If so, then it is likely a bug in ip-filter. else, 2) Try using snort or tcpdump to capture the blocked packet and analyse if it is malformed. Possibly include such a packet with your next post. else 3) try to see if you can upgrade to a newer ipfilter, latest is v4.1.10 Cheers, Erik -- Ph: +34.666334818 web: www.locolomo.org S/MIME Certificate: www.daemonsecurity.com/ca/8D03551FFCE04F06.crt Subject ID: 9E:AA:18:E6:94:7A:91:44:0A:E4:DD:87:73:7F:4E:82:E7:08:9C:72 Fingerprint: 5B:D5:1E:3E:47:E7:EC:1C:4C:C8:3A:19:CC:AE:14:F5:DF:18:0F:B9
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?440C25FE.6050401>