From owner-freebsd-questions@FreeBSD.ORG Thu Jan 22 01:23:23 2015 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 78DF0B1D for ; Thu, 22 Jan 2015 01:23:23 +0000 (UTC) Received: from mail-pd0-x22d.google.com (mail-pd0-x22d.google.com [IPv6:2607:f8b0:400e:c02::22d]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 40215D3F for ; Thu, 22 Jan 2015 01:23:23 +0000 (UTC) Received: by mail-pd0-f173.google.com with SMTP id fp1so28279751pdb.4 for ; Wed, 21 Jan 2015 17:23:22 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:content-type:content-transfer-encoding; bh=Pj9VUPD38OTmeZ2ut9kuoFCbVoGQSFeeDEIXOd3wlwo=; b=eq0MWvKufR8UBu1VyBL+58PSkTXBngwzr1C9gR4clAQpIEgx9QiLHuYtdQMHZrL/WY 01RnKvC7mN1n+uDj37kXBDK5Y2TTzozVjXA4vFRAntCEP5yl5aD58ISDr5BruTFZmDgY dm21wje1o3LDzip6iBSUDz58bimpHbohKVeq7rWRLrIRfDoVLP3CMM0/R/ViD7k6/N8T C168JRK0K/ubmydCAT9uhtobRh/OB9LtgCKscY0B6JJgxHT+jvFYp3XIAQ9TDxRdlxQg djvM8USIm4owbU+bsJVNhcVPnZhDbYmUd84F+cp9sYBcf4klr8F4llD6Hk/3qaDS9rbi dHMw== X-Received: by 10.70.91.67 with SMTP id cc3mr66634386pdb.76.1421889802838; Wed, 21 Jan 2015 17:23:22 -0800 (PST) Received: from [192.168.111.118] ([120.29.76.131]) by mx.google.com with ESMTPSA id ka5sm7134860pbc.27.2015.01.21.17.23.20 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Wed, 21 Jan 2015 17:23:22 -0800 (PST) Message-ID: <54C0510C.8070408@gmail.com> Date: Thu, 22 Jan 2015 09:23:24 +0800 From: Ernie Luzar User-Agent: Thunderbird 2.0.0.24 (Windows/20100228) MIME-Version: 1.0 To: galtsev@kicp.uchicago.edu Subject: Re: IPFilter & FreeBSD-10.1 References: <54BF7050.90605@ShaneWare.Biz> <51264.128.135.70.2.1421883154.squirrel@cosmo.uchicago.edu> In-Reply-To: <51264.128.135.70.2.1421883154.squirrel@cosmo.uchicago.edu> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: Odhiambo Washington , User Questions , Luzar , Shane Ambler X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 22 Jan 2015 01:23:23 -0000 Valeri Galtsev wrote: > On Wed, January 21, 2015 3:29 am, Odhiambo Washington wrote: > >> Hi Shane, >> >> Where is the new syntax documented? Or I just have to 'man ipf'? I'd love >> to see a web discussion about it, which I obviously missed. >> >> Is there a sort of rule converter? :-) >> >> Thank you for mentioning this syntax thing. Must be the one that was >> biting >> me on 10.1 >> >> >> >> On 21 January 2015 at 12:24, Shane Ambler wrote: >> >> >>> On 21/01/2015 16:15, Odhiambo Washington wrote: >>> >>> >>>> Hi Ben, >>>> >>>> Thanks for this. I actually read this bit of it having been updated to >>>> version 5.1.2 in FreeBSD 10.0. >>>> >>>> However, my problem emanated from the fact that rules that I use on >>>> FreeBSD-8.4/9.3 simply could not work on 10.1 >>>> >>>> I simply carried the rules over, and did not compile a custom kernel on >>>> 10.1. I was believing that the module will be automatically loaded and >>>> rules would work. They didn't! Only 'ipf -D' would let connections to >>>> be >>>> made from LAN PCs to my gateway PC.. >>>> >>>> >>> I read a post in which someone had to copy the sources from 9.x to 10.x >>> >>>> and >>>> recompile in order to get it to work with the rules from 9.x >>>> >>>> >>> The update from 4.1.28->5.1.2 may include changes that requires >>> adjusting old rules to the new syntax. >>> >>> While going back to an older version can get your old settings to work >>> again it also removes any security fixes from the update. Updating your >>> ruleset would be a better solution. >>> >>> >>> -- >>> FreeBSD - the place to B...Software Developing >>> >>> Shane Ambler >>> >>> > > I wonder if anyone knows URl of official website of ipfilter. Both project > info on sourceforge (http://sourceforge.net/projects/ipfilter/) and > wikipedia page (https://en.wikipedia.org/wiki/IPFilter) point at the place > which apparently doesn't exist so you end up getting just front page of > the university: http://asiapacific.anu.edu.au/ ... > > One does want to read the documentation to be able to keep using ipfilter > on FreBSD 10.x (as one did on FreeBSD 9.x in the past). And with syntax > changed, one does have to read Documentation (and here brilliant FreeBSD > documentation seems to be outdated...) > > Thanks a lot for your answers! > > Valeri > > > I moved my 8 production machines from 9.2 to 10.1 and my 9.2 IPFilter rules worked just fine on 10.1. It also has a private LAN and users can reach the public network. Matter of fact I have been using the same IPF rules since version 3.4. I find it hard to believe that as popular as IPFilter is no one else has voiced any problems about it. Your problem is a major show stopper and should be effecting ALL IPFilter users if it was a IPF software or 10.1 bug. IPFilter does not have any syntax chances. I pretty much use the IPF rule set as shown in the handbook. On the other hand PF does have major syntax differences between the old back version FreeBSD is running and the current version openbsd documentation shows. Maybe PF-IPF is what the previous poster was confused over. Rest assured, IPFiter does work on 10.1. Something changed on your system. Check all the basic IPF config files. Lan not reaching pubic network may mean your ipf.nat file is missing or codded wrong.