Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 17 Sep 2002 09:02:16 +0200 (CEST)
From:      =?iso-8859-1?q?Claus=20Guttesen?= <cguttesen@yahoo.dk>
To:        Robin Breathe <freebsd@lineone.net>, freebsd-questions@freebsd.org
Cc:        freebsd-stable@freebsd.org
Subject:   Re: Problems with ipfilter 3.4.29 under -STABLE (post 31/08/2002)
Message-ID:  <20020917070216.13572.qmail@web14102.mail.yahoo.com>
In-Reply-To: <000201c25db0$acfd64b0$026ca8c0@ishadow>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
Hi.

--- Robin Breathe <freebsd@lineone.net> skrev: 
> Hi all,
> 
> I'm interested to know if anyone is successfully
> running ipf/ipnat under
> -STABLE from after the merge on the 31st of August

I have installed stable 4.6.2 and did a cvsup on sept.
8-9'th of Sept. and did a make world and make kernel
on a custom-kernel without ipfilter compiled into the
kernel. Loaded ipfilter as a kernel-module and it
worked fine.

> I have found that my existing rulesets fail with the
> new code.  ipf
> blocks everything, and ipnat doesn't do NAT.  My
> rules are at
> http://isometry.net/freebsd/ipfilter/, and they've
> worked flawlessly
> with previous versions of ipfilter, in particular

Decided to compile ipfilter into the kernel and
nothing appeared to work. So I removed it again from
the kernel and reverted to use ipfilter as a loadable
module instead.

Works with NAT but does seem to have some issues
related to passive ftp from our inside network out to
the internet. The connection breaks after 60 secs. I
have 'pass out tcp port 21 keep state' etc. in my
config-file, but that doesn't seem to work as
intended. Tried to enable active ftp by adding the
'map ep0 0/0 -> 0/32 proxy port 21 ftp/tcp' statement
into my ipnat-config-file. But not shure whether I got
it wrong or not.

> I am trying to work out whether the problem lies
> with the recent merge
> of ipfilter 3.4.29, or with my config.  And from all
> the testing I've
> been able to do, the problem seems to lie with
> ipfilter.  Other people's
> experiences with the new code would be greatly
> appreciated.

Can't dig too much into the ftp-issue since I need to
test traffic-shaping (will use IPFW for that purpose)
and lots of other stuff my boss wants me to do.

I'll do another make world/kernel when 4.7 has been
out for a week or so to see whether ftp works or not.

Cheers
Claus


Få den nye Yahoo! Messenger på www.yahoo.dk/messenger
Nu med webkamera, talechat, interaktive baggrunde og meget mere!

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message




Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?20020917070216.13572.qmail>