From owner-freebsd-questions@FreeBSD.ORG Thu Jan 22 02:16:55 2015 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id EA88E488 for ; Thu, 22 Jan 2015 02:16:55 +0000 (UTC) Received: from cosmo.uchicago.edu (cosmo.uchicago.edu [128.135.52.97]) by mx1.freebsd.org (Postfix) with ESMTP id A0F2223C for ; Thu, 22 Jan 2015 02:16:55 +0000 (UTC) Received: by cosmo.uchicago.edu (Postfix, from userid 48) id 4EB78CB8C9B; Wed, 21 Jan 2015 20:16:54 -0600 (CST) Received: from 76.193.18.182 (SquirrelMail authenticated user valeri) by cosmo.uchicago.edu with HTTP; Wed, 21 Jan 2015 20:16:54 -0600 (CST) Message-ID: <8292.76.193.18.182.1421893014.squirrel@cosmo.uchicago.edu> In-Reply-To: <54C0510C.8070408@gmail.com> References: <54BF7050.90605@ShaneWare.Biz> <51264.128.135.70.2.1421883154.squirrel@cosmo.uchicago.edu> <54C0510C.8070408@gmail.com> Date: Wed, 21 Jan 2015 20:16:54 -0600 (CST) Subject: Re: IPFilter & FreeBSD-10.1 From: "Valeri Galtsev" To: "Ernie Luzar" Reply-To: galtsev@kicp.uchicago.edu User-Agent: SquirrelMail/1.4.8-5.el5.centos.7 MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Priority: 3 (Normal) Importance: Normal Cc: User Questions X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 22 Jan 2015 02:16:56 -0000 On Wed, January 21, 2015 7:23 pm, Ernie Luzar wrote: > Valeri Galtsev wrote: >> On Wed, January 21, 2015 3:29 am, Odhiambo Washington wrote: >> >>> Hi Shane, >>> >>> Where is the new syntax documented? Or I just have to 'man ipf'? I'd >>> love >>> to see a web discussion about it, which I obviously missed. >>> >>> Is there a sort of rule converter? :-) >>> >>> Thank you for mentioning this syntax thing. Must be the one that was >>> biting >>> me on 10.1 >>> >>> >>> >>> On 21 January 2015 at 12:24, Shane Ambler >>> wrote: >>> >>> >>>> On 21/01/2015 16:15, Odhiambo Washington wrote: >>>> >>>> >>>>> Hi Ben, >>>>> >>>>> Thanks for this. I actually read this bit of it having been updated >>>>> to >>>>> version 5.1.2 in FreeBSD 10.0. >>>>> >>>>> However, my problem emanated from the fact that rules that I use on >>>>> FreeBSD-8.4/9.3 simply could not work on 10.1 >>>>> >>>>> I simply carried the rules over, and did not compile a custom kernel >>>>> on >>>>> 10.1. I was believing that the module will be automatically loaded >>>>> and >>>>> rules would work. They didn't! Only 'ipf -D' would let connections to >>>>> be >>>>> made from LAN PCs to my gateway PC.. >>>>> >>>>> >>>> I read a post in which someone had to copy the sources from 9.x to >>>> 10.x >>>> >>>>> and >>>>> recompile in order to get it to work with the rules from 9.x >>>>> >>>>> >>>> The update from 4.1.28->5.1.2 may include changes that requires >>>> adjusting old rules to the new syntax. >>>> >>>> While going back to an older version can get your old settings to work >>>> again it also removes any security fixes from the update. Updating >>>> your >>>> ruleset would be a better solution. >>>> >>>> >>>> -- >>>> FreeBSD - the place to B...Software Developing >>>> >>>> Shane Ambler >>>> >>>> >> >> I wonder if anyone knows URl of official website of ipfilter. Both >> project >> info on sourceforge (http://sourceforge.net/projects/ipfilter/) and >> wikipedia page (https://en.wikipedia.org/wiki/IPFilter) point at the >> place >> which apparently doesn't exist so you end up getting just front page of >> the university: http://asiapacific.anu.edu.au/ ... >> >> One does want to read the documentation to be able to keep using >> ipfilter >> on FreBSD 10.x (as one did on FreeBSD 9.x in the past). And with syntax >> changed, one does have to read Documentation (and here brilliant FreeBSD >> documentation seems to be outdated...) >> >> Thanks a lot for your answers! >> >> Valeri >> >> >> > I moved my 8 production machines from 9.2 to 10.1 and my 9.2 IPFilter > rules worked > just fine on 10.1. It also has a private LAN and users can reach the > public network. > Matter of fact I have been using the same IPF rules since version 3.4. > I'm certainly happy for you. > I find it hard to believe that as popular as IPFilter is no one else has > voiced any problems about it. > Your problem is a major show stopper and should be effecting ALL > IPFilter users if it was a IPF software > or 10.1 bug. No, I'm not the original poster of this thread, the problem I have is different, I'll describe it later > > IPFilter does not have any syntax chances. I pretty much use the IPF > rule set as shown in the handbook. It was just what someone else on this thread mentioned: change of syntax. I can not verify that directly on the website of ipfilter author as this website doesn't seem to exist anymore (read my post) > On the other hand PF does have major syntax differences between the old > back version FreeBSD is running and > the current version openbsd documentation shows. Maybe PF-IPF is what > the previous poster was confused over. > > Rest assured, IPFiter does work on 10.1. Something changed on your > system. Check all the basic IPF config files. > Lan not reaching pubic network may mean your ipf.nat file is missing or > codded wrong. > Again, my problem is different. Originally after upgrade from 9.3 RELEASE to 10.0 RELEASE (shortly after it was released). I started observing too many packets (more that 90%) dropped by ipfilter. Network feels like 100 time slower. All config files are in place. I asked on this list for help - no one replied (if my memory doesn't fail me). Then I looked into the code of kernel module itself, I noticed it is much slimmer than kernel module code on 9.3 (many files are missing, some of the ones that are there are noticeably shorter). I moved /usr/src off the way and checked out fresh copy: all is exactly the same. After that I just replaced the code of ipfilter module with the one from 9.3, rebuilt kernel module, unloaded and loaded freshly built module. And my ipfilter problem was fixed. I just posted this to the thread I have started, so it looks like one of the posts here on this thread just quotes what I did (or maybe someone else did and described the same). Note that config files didn't change. After some time living with 10.0 on that box, that box was upgraded to 10.1 RELEASE. Also shortly after it was released. And the same problem reappeared: ipfilter when it is on drops majority of packets, connections seem to be 100 slower... I know, happy people (who do not have problem themselves) ... hm ... not always can imagine that problem can be real for somebody else. But I still hope someone will be able to answer my questions. 1. How can I find website (Documentation) for latest ipfilter? Where is new place for it (it appears, developer moved it from where it was in the past) 2. Did the syntax change between versions or not? On 9.3 I have version: v4.1.28 (496), whereas on 10.1: v5.1.2 (608). If yes, where do I find appropriate documentation. I certainly will be able to rewrite my rules myself after reading documentation. After all I wrote them (of course, using amazing FreeBSD online documentation ! ;-) Thanks in advance for all your replies. Valeri ++++++++++++++++++++++++++++++++++++++++ Valeri Galtsev Sr System Administrator Department of Astronomy and Astrophysics Kavli Institute for Cosmological Physics University of Chicago Phone: 773-702-4247 ++++++++++++++++++++++++++++++++++++++++