From owner-freebsd-questions@FreeBSD.ORG Mon Feb 27 13:49:07 2006 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9923C16A420 for ; Mon, 27 Feb 2006 13:49:07 +0000 (GMT) (envelope-from mefystofel@gmail.com) Received: from wproxy.gmail.com (wproxy.gmail.com [64.233.184.200]) by mx1.FreeBSD.org (Postfix) with ESMTP id AA9C943D70 for ; Mon, 27 Feb 2006 13:48:59 +0000 (GMT) (envelope-from mefystofel@gmail.com) Received: by wproxy.gmail.com with SMTP id 69so833494wra for ; Mon, 27 Feb 2006 05:48:58 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=LjQcpPgz4Y0ny3+fu2eEe4AY2VqAQMSFxUmnlgOd18eozMCJ60KxqHvzdVnNxdxCmDLKU5LVFoIgsqLfYvM78dt8q/RRlgGx0dVf4yW6jkLUKc0MyQkEOpvq5pwbcvazG60nUog53hh6RtAPbAIc0QEoHXPMjE01Qt3BoDlxKyQ= Received: by 10.54.107.17 with SMTP id f17mr3223718wrc; Mon, 27 Feb 2006 05:48:58 -0800 (PST) Received: by 10.54.93.14 with HTTP; Mon, 27 Feb 2006 05:48:58 -0800 (PST) Message-ID: Date: Mon, 27 Feb 2006 18:48:58 +0500 From: "Roman Serbski" To: freebsd-questions@freebsd.org In-Reply-To: <4402232A.8010908@locolomo.org> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline References: <4402232A.8010908@locolomo.org> Subject: Re: Help with IP Filter 4.1.8 X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 27 Feb 2006 13:49:07 -0000 On 2/27/06, Erik N=F8rgaard wrote: > Could you change your last rule to this: > > block in log quick on xl0 all > > and then tell what you see in the log. This would give some information > if any traffic is blocked in the first place. Actually, adding the log > keyword to all rules for the xl0 interface might be a good idea for > debugging. > > Also, is this the complete ruleset or did you remove rules you thought > were irrelevant? If so, then post the whole ruleset. Thank you. I removed 'flags' as it was suggested by Giorgos Keramidas but it didn't help. This is not the complete ruleset, I mean there are a lot of other rules, but I removed everything to be sure and left only outgoing 53/udp, 53/tcp. Once again, I checked this ruleset on 5.3-STABLE with ipf v3.4.35 (336) and it worked good. Adding the 'log' keyword produced the following record: xl0 @0:2 b XXX.XXX.XXX.XXX,53 -> YYY.YYY.YYY.YYY,60808 PR udp len 20 298 IN= bad where XXX - is IP address of DNS server of ISP, and YYY is the server I'm running ipf on. There was a hit on a rule allowing outgoing 53/udp and it seems like the response from DNS server was blocked. Outgoing port number returned by YYY is always changing - on a second run it was 51212. Of course I can allow incoming connections to ports > 1024, but I really would like to understand why it was working with ipf v3.4.35 and not with v4.1.8. Once again, thank you all for your help.