On Thu, Nov 18, 2010 at 04:58:08PM +0100, Harald Weis wrote: > Has anybody configured a firewall behind an ISP router ? > > My IPF rules contain: > @3 pass out quick on fxp0 proto tcp from any to 212.27.40.241/32 port = > domain flags S/FSRPAU keep state > @4 pass out quick on fxp0 proto udp from any to 212.27.40.241/32 port = > domain keep state > @5 pass out quick on fxp0 proto tcp from any to 212.27.40.240/32 port = > domain flags S/FSRPAU keep state > @6 pass out quick on fxp0 proto udp from any to 212.27.40.240/32 port = > domain keep state > > When running "ping www.freebsd.org" the DNS servers reply with "bad" > packets like so: > 18/11/2010 11:16:12.075987 fxp0 @0:23 b 212.27.40.240,53 -> > 192.168.0.111,43124 PR udp len 20 203 IN bad > 18/11/2010 11:16:17.129620 fxp0 @0:23 b 212.27.40.241,53 -> > 192.168.0.111,21048 PR udp len 20 203 IN bad > 18/11/2010 11:16:19.074905 fxp0 @0:23 b 212.27.40.240,53 -> > 192.168.0.111,43124 PR udp len 20 80 IN bad > 18/11/2010 11:16:29.074863 fxp0 @0:23 b 212.27.40.241,53 -> > 192.168.0.111,21048 PR udp len 20 80 IN bad > > Running "ping <IP address of www.freebsd.org>" is OK. > > I cannot find out the meaning of "bad" and whether the problem is in the > rooter or in my "inclusive" firewall. > Please note that my firewall works fine with ISP modems.
I have finally found the reason. The problem was never in my firewall, it was in the routing table when I changed from the internal LAN behind the server (which has two interfaces) to the ISP router. I did this with a script like so: <extract> ifconfig alc0 down route flush sh /etc/filters/load-ipf.rules-$rules dhclient alc0 </extract> But _without_ the ``route flush'' line because I had not understood that ``ifconfig alc0 down'' "does not automatically disable routes using the interface" , as clearly mentioned in ifconfig(1). Sorry for the noise I made, but my bad experience might be useful for someone else. Best regards, Harald Weis
