Date: Sun, 5 May 2002 18:46:30 +0200 From: "Karsten W. Rohrbach" <karsten@rohrbach.de> To: Michael Riexinger <mailinglists@grindking.de> Cc: freebsd-stable@freebsd.org Subject: Re: ipfilter problem Message-ID: <20020505184630.A76286@mail.webmonster.de> In-Reply-To: <20020505133204.GA667@grind.grind.dom>; from mailinglists@grindking.de on Sun, May 05, 2002 at 03:32:04PM %2B0200 References: <20020504223450.GA1025@grind.grind.dom> <20020505152314.B73550@mail.webmonster.de> <20020505133204.GA667@grind.grind.dom>
next in thread | previous in thread | raw e-mail | index | archive | help
--u3/rZRmxL6MmkK24 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Michael Riexinger(mailinglists@grindking.de)@2002.05.05 15:32:04 +0000: > On Sun May 5 15:23:14 2002, Karsten W. Rohrbach wrote: > > the problem can only be analyzed efficiently if you show us the rest of > > the ruleset. anything else is pure guesswork, based on assumptions about > > your ipf configuration. > >=20 > > regards, > > /k > Ok, here they are. But I wonder why it worked withot problems with > previous versions of FreeBSD/ipfilter. With netstat I can see FIN_WAIT_1 > states to the newsserver.=20 > (tcp4 0 0 dialin-212-144-1.49368 news.fu-berlin.d.nntp =20 > FIN_WAIT_1) >=20 >=20 > pass in quick on lo0 all > pass out quick on lo0 all >=20 > pass in quick on ed0 all > pass out quick on ed0 all >=20 > pass out quick on isp0 proto tcp/udp from any to any keep state pass out quick on isp0 proto tcp from any to any flags S/SA keep state pass out quick on isp0 proto udp from any to any keep state instead of the above one line should work. if it doesn't then give me a slap on the head, i'm still a bit drunk from yesterday ;-) > pass out quick on isp0 proto icmp from any to any keep state >=20 > pass in quick on isp0 proto tcp from any to any port =3D 80 > pass in quick on isp0 proto tcp from any to any port =3D 60000=20 >=20 > block return-icmp-as-dest(host-unr) in log quick on isp0 proto icmp from > any to any=20 > block return-rst in log quick on isp0 proto tcp from any to any > block return-icmp(port-unr) in log quick on isp0 proto udp from any to > any >=20 'ipfstat -s' on your box will tell you about state statistics. when you reload your rule set for testing, you should invoke it like 'ipf -Fa -FS -f/etc/ipf.rules' or similar, just to kick out the old state table. 'ipfstat -t' gives you a "top" style display of current states, so you can check them in realtime. regards, /k --=20 > MCSE: Minesweeper Consultant & Solitaire Engineer WebMonster Community Project -- Next Generation Networks GmbH -- All on BSD http://www.webmonster.de/ -- ftp://ftp.webmonster.de/ -- http://www.ngenn.n= et/ GnuPG: 0xDEC948A6 D/E BF11 83E8 84A1 F996 68B4 A113 B393 6BF4 DEC9 48A6 REVOKED: 0x2964BF46 D/E 42F9 9FFF 50D4 2F38 DBEE DF22 3340 4F4E 2964 BF46 REVOKED: 0x4C44DA59 RSA F9 A0 DF 91 74 07 6A 1C 5F 0B E0 6B 4D CD 8C 44 My mail is GnuPG signed -- Unsigned ones are bogus -- http://www.gnupg.org/ Please do not remove my address from To: and Cc: fields in mailing lists. 1= 0x --u3/rZRmxL6MmkK24 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Comment: For info see http://www.gnupg.org iD8DBQE81WHms5Nr9N7JSKYRAuiDAJ9KgKzRBAmEaow9C3lXL+1XoeVMDQCeITgG i5vaGxIAGwenR1Uq2WWNRNE= =4Zof -----END PGP SIGNATURE----- --u3/rZRmxL6MmkK24-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020505184630.A76286>