Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 22 Jan 2015 10:10:46 +0300
From:      Odhiambo Washington <odhiambo@gmail.com>
To:        Ernie Luzar <luzar722@gmail.com>
Cc:        Shane Ambler <freebsd@shaneware.biz>, User Questions <freebsd-questions@freebsd.org>, galtsev@kicp.uchicago.edu
Subject:   Re: IPFilter & FreeBSD-10.1
Message-ID:  <CAAdA2WP4Yh0xUFXTAchD0LgkM-d0SsCo7H-8HLNoyT=Sv3k+rQ@mail.gmail.com>
In-Reply-To: <54C0510C.8070408@gmail.com>
References:  <CAAdA2WMudfd0J9RP_3UL+EMC8Vh3Crks8c-6U5f7AQMBSR0XJQ@mail.gmail.com> <CAOc73CCsrnqskLJKFbQH2W-EYH7yi=AXiSKw8jLYz0O35spJ5g@mail.gmail.com> <CAAdA2WOeiEv2opf4ZMDAf=LvC5TUCbC8+AeE0ecf7Ac+=jQ1-w@mail.gmail.com> <54BF7050.90605@ShaneWare.Biz> <CAAdA2WPr4jjdS3MiuNkuG2JQCA_LAaSndhe=cRxiSHVf9o_yRw@mail.gmail.com> <51264.128.135.70.2.1421883154.squirrel@cosmo.uchicago.edu> <54C0510C.8070408@gmail.com>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
On 22 January 2015 at 04:23, Ernie Luzar <luzar722@gmail.com> wrote:

> Valeri Galtsev wrote:
>
>> On Wed, January 21, 2015 3:29 am, Odhiambo Washington wrote:
>>
>>
>>> Hi Shane,
>>>
>>> Where is the new syntax documented? Or I just have to 'man ipf'? I'd love
>>> to see a web discussion about it, which I obviously missed.
>>>
>>> Is there a sort of rule converter? :-)
>>>
>>> Thank you for mentioning this syntax thing. Must be the one that was
>>> biting
>>> me on 10.1
>>>
>>>
>>>
>>> On 21 January 2015 at 12:24, Shane Ambler <FreeBSD@shaneware.biz> wrote:
>>>
>>>
>>>
>>>> On 21/01/2015 16:15, Odhiambo Washington wrote:
>>>>
>>>>
>>>>
>>>>> Hi Ben,
>>>>>
>>>>> Thanks for this. I actually read this bit of it having been updated to
>>>>> version 5.1.2 in FreeBSD 10.0.
>>>>>
>>>>> However, my problem emanated from the fact that rules that I use on
>>>>> FreeBSD-8.4/9.3 simply could not work on 10.1
>>>>>
>>>>> I simply carried the rules over, and did not compile a custom kernel on
>>>>> 10.1. I was believing that the module will be automatically loaded and
>>>>> rules would work. They didn't! Only 'ipf -D' would let connections to
>>>>> be
>>>>> made from LAN PCs to my gateway PC..
>>>>>
>>>>>
>>>>>
>>>>  I read a post in which someone had to copy the sources from 9.x to 10.x
>>>>
>>>>
>>>>> and
>>>>> recompile in order to get it to work with the rules from 9.x
>>>>>
>>>>>
>>>>>
>>>> The update from 4.1.28->5.1.2 may include changes that requires
>>>> adjusting old rules to the new syntax.
>>>>
>>>> While going back to an older version can get your old settings to work
>>>> again it also removes any security fixes from the update. Updating your
>>>> ruleset would be a better solution.
>>>>
>>>>
>>>> --
>>>> FreeBSD - the place to B...Software Developing
>>>>
>>>> Shane Ambler
>>>>
>>>>
>>>>
>>>
>> I wonder if anyone knows URl of official website of ipfilter. Both project
>> info on sourceforge (http://sourceforge.net/projects/ipfilter/) and
>> wikipedia page (https://en.wikipedia.org/wiki/IPFilter) point at the
>> place
>> which apparently doesn't exist so you end up getting just front page of
>> the university: http://asiapacific.anu.edu.au/ ...
>>
>> One does want to read the documentation to be able to keep using ipfilter
>> on FreBSD 10.x (as one did on FreeBSD 9.x in the past). And with syntax
>> changed, one does have to read Documentation (and here brilliant FreeBSD
>> documentation seems to be outdated...)
>>
>> Thanks a lot for your answers!
>>
>> Valeri
>>
>>
>>
>>
> I moved my 8 production machines from 9.2 to 10.1 and my 9.2 IPFilter
> rules worked
> just fine on 10.1. It also has a private LAN and users can reach the
> public network.
> Matter of fact I have been using the same IPF rules since version 3.4.
>
> I find it hard to believe that as popular as IPFilter is no one else has
> voiced any problems about it.
> Your problem is a major show stopper and should be effecting ALL IPFilter
> users if it was a IPF software
> or 10.1 bug.
>
> IPFilter does not have any syntax chances. I pretty much use the IPF rule
> set as shown in the handbook.
> On the other hand PF does have major syntax differences between the old
> back version FreeBSD is running and
> the current version openbsd documentation shows. Maybe PF-IPF is what the
> previous poster was confused over.
>
> Rest assured, IPFiter does work on 10.1. Something changed on your system.
> Check all the basic IPF config files.
> Lan not reaching pubic network may mean your ipf.nat file is missing or
> codded wrong.
>


The same rules which refused to work on 10.1 are working on 9.3. All I had
to change were the interface names and the IP subnets. Trust me I verified
and ensured that I did not mix up the names.

If you want, I am willing to give someone access to my box to try and get
this to work.


-- 
Best regards,
Odhiambo WASHINGTON,
Nairobi,KE
+254733744121/+254722743223
"I can't hear you -- I'm using the scrambler."



Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?CAAdA2WP4Yh0xUFXTAchD0LgkM-d0SsCo7H-8HLNoyT=Sv3k+rQ>