Passing ppp/vpn with ip-filter
Hi: I have the following setup: XP -- FBSD -- Ineternet --- Work I need to setup a VPN connection from my work station to work but the connection failes, presumably blocked by my firewall. The FBSD gateway use ip filter to filter traffic with a default block. Listening on the pflog inteface I got this: 1. 051533 rule 97/0(match): block in on vr1: 172.16.0.127 217.126.X.X: GREv1, call 62316, seq 9, proto PPP (0x880b), length 37: [|ppp] How do I create a rule to pass this connection? Thanks, Erik -- Erik Nørgaard Ph: +34.666334818/+34.915211157 http://www.locolomo.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
network address in IP FILTER
Hi all, i want to have these two rules in the ipf.rules file pass in quick on $oif proto tcp from 217.83.122.17/8 to $myip port = 22 flags S keep state pass in quick on $oif proto tcp from 217.83.89.61/8 to $myip port = 22 flags S keep state where $iof is my interface. Executing the config file i get the following error ioctl(add/insert rule): File exists Which means the rule is being loaded twice. But the networka addresses above are different!!! If i comment any of the above two lines, ipf executes fine. Any idea how to solve this error, and allow only these two networks above? Thanks in advance ... -- ___ Get your free email from http://bsdmail.com ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
network address in IP FILTER
Hi all, i want to have these two rules in the ipf.rules file pass in quick on $oif proto tcp from 217.83.122.17/8 to $myip port = 22 flags S keep state pass in quick on $oif proto tcp from 217.83.89.61/8 to $myip port = 22 flags S keep state where $iof is my interface. Executing the config file i get the following error ioctl(add/insert rule): File exists Which means the rule is being loaded twice. But the networka addresses above are different!!! If i comment any of the above two lines, ipf executes fine. Any idea how to solve this error, and allow only these two networks above? Thanks in advance ... -- ___ Get your free email from http://bsdmail.com ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
IP FILTER and network address
Hi all, i want to have these two rules in the ipf.rules file pass in quick on $oif proto tcp from 217.83.122.17/8 to $myip port = 22 flags S keep state pass in quick on $oif proto tcp from 217.83.89.61/8 to $myip port = 22 flags S keep state where $iof is my interface. Executing the config file i get the following error ioctl(add/insert rule): File exists Which means the rule is being loaded twice. But the networka addresses above are different!!! If i comment any of the above two lines, ipf executes fine. Any idea how to solve this error, and allow only these two networks above? Thanks in advance ... -- ___ Get your free email from http://bsdmail.com ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: IP FILTER and network address
Tun Eler wrote: Hi all, i want to have these two rules in the ipf.rules file pass in quick on $oif proto tcp from 217.83.122.17/8 to $myip port = 22 flags S keep state pass in quick on $oif proto tcp from 217.83.89.61/8 to $myip port = 22 flags S keep state where $iof is my interface. Executing the config file i get the following error ioctl(add/insert rule): File exists Which means the rule is being loaded twice. But the networka addresses above are different!!! If i comment any of the above two lines, ipf executes fine. Any idea how to solve this error, and allow only these two networks above? Thanks in advance ... Appending your IP with /8 ends you up with two rules that essentially look like this (AFAIK): pass in quick on $oif proto tcp from 217.0.0.0/8 to $myip port = 22 flags S keep state pass in quick on $oif proto tcp from 217.0.0.0/8 to $myip port = 22 flags S keep state Perhaps you want to filter the IP's only, like: pass in quick on $oif proto tcp from 217.83.122.17/32 to $myip port = 22 flags S keep state pass in quick on $oif proto tcp from 217.83.89.61/32 to $myip port = 22 flags S keep state Regards, Steve ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: IP FILTER and network address
Appending your IP with /8 ends you up with two rules that essentially look like this (AFAIK): pass in quick on $oif proto tcp from 217.0.0.0/8 to $myip port = 22 flags S keep state Oh, off course. I was applying the rule in the wrong direction, from the right to the left. Silly :-) Thanks ... -- ___ Get your free email from http://bsdmail.com ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: IP FILTER and network address
Tun Eler wrote: Appending your IP with /8 ends you up with two rules that essentially look like this (AFAIK): pass in quick on $oif proto tcp from 217.0.0.0/8 to $myip port = 22 flags S keep state Oh, off course. I was applying the rule in the wrong direction, from the right to the left. Silly :-) I don't quite know what you mean, but /32 is the single (host) IP, much like: 192.168.1.3/24 == 192.168.1.1 - 192.168.1.254 (entire 192.168.1 network) and: 172.16.28.18/16 == 172.16.0.1 - 172.16.255.254 (entire 172.16 network) ...what you had was the entire 217. network ;) Appending a /32 to an address means this address, and only this address. Regards, Steve ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
System (Firewall - IP filter) freezes sometimes
Hello lists, I have a 6.1-RELEASE-p10 system running IP Filter which comes with 6.1 acting as a firewall for my small home network. This system freezes when handling a lot of data, ie. With an upload of a 60Meg file to the firewall through SFTP from OpenSSH or when accessing large webpages. With freezes I mean doesn't accept any new connections, doesn't respond on the keyboard. After 3 or 4 minutes the system 'lives' again. Nothing valueable is logged in the meantime. The NICs used are Intel Gbit Desktop adapter and the system is using the 'em' driver for this. I am running IP Filter as a module. The freeze doesn't happen when the IP Filter kernel module is unloaded! [EMAIL PROTECTED] me $ uname -a FreeBSD firewall.domain.nu 6.1-RELEASE-p10 FreeBSD 6.1-RELEASE-p10 #0: Thu Nov 2 16:00:30 CET 2006 [EMAIL PROTECTED]:/usr/obj/usr/src/sys/FIREWALL i386 [EMAIL PROTECTED] me $ ipf -V ipf: IP Filter: v4.1.8 (416) The sysctl.conf file of the system. # $FreeBSD: src/etc/sysctl.conf,v 1.8 2003/03/13 18:43:50 mux Exp $ # # This file is read when going to multi-user and its contents piped thru # ``sysctl'' to adjust kernel values. ``man 5 sysctl.conf'' for details. # #--- - # Disable kernel coredumps #--- - kern.coredump=0 #--- - # Some hardening options #--- - security.bsd.see_other_uids=0 security.bsd.see_other_gids=0 #--- - # Some networking options #--- - net.inet.tcp.blackhole=2 net.inet.udp.blackhole=1 net.inet.ip.random_id=1 #--- - # TCP/IP stack hardening #--- - # Decrease the ARP cache cleanup interval net.link.ether.inet.max_age=1200 # Disable ICMP broadcast echo activity net.inet.icmp.bmcastecho=0 # Disable ICMP routing redirects net.inet.ip.redirect=0 # Disable ICMP broadcast probes net.inet.icmp.maskrepl=0 # Disable IP source routing net.inet.ip.sourceroute=0 net.inet.ip.accept_sourceroute=0 # Increase resiliance under heavy TCP load kern.ipc.somaxconn=1024 # Set TCP send and receive window sizes net.inet.tcp.sendspace=32768 net.inet.tcp.recvspace=32768 Anyone any idea what this is about? Regards, Lars Wittebrood. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: IP Filter
Bradford Fisher wrote: Currently, I have FreeBSD 6.0 p7 running with the GENERIC kernel. In rc.conf, I have set the options: ipfilter_enable=YES, ipfilter_rules=/etc/ipf.rules, ipmon_enable=YES, ipmon_flags=-Ds . Looks ok, but you should be able to check that the rules are actually loaded. I then proceeded to configure /etc/ipf.rules as follows: # IP Filter Rules File # Block Garbage block in log quick from any to any with ipopts block in log quick proto tcp from any to any with short # System Loopback Interface pass in quick on lo0 all pass out quick on lo0 all # Outbound Traffic pass out on vr0 all head 100 block out from 127.0.0.0/8 to any group 100 block out from any to 127.0.0.0/8 group 100 block out from any to my.ip.address/32 group 100 # Inbound Traffic block in on vr0 from any to any head 200 block in from 127.0.0.0/8 to any group 200 block in from 192.168.254.50/32 to any group 200 pass in quick proto tcp from any to any port = www keep state group 200 pass in quick proto tcp from any to any port = pop3 keep state group 200 pass in quick proto tcp from any to any port = smtp keep state group 200 pass in quick proto tcp from any to any port = 22 keep state group 200 (have also added flags S/SA with no luck) block return-rst in log proto tcp from any to any flags S/SA group 200 block return-icmp(net-unr) in proto udp all group 200 Is this the _whole_ ruleset? 1st, when debugging: Add 'log' to all rules in particular block rules. 2nd, your rule for ssh should be: pass in quick proto tcp from any to any port = ssh flags S/SA \ keep state group 200 3rd, the rules block in from 127.0.0.0/8 to any group 200 block in from 192.168.254.50/32 to any group 200 Have no effect because there is no quick keyword: Packets will be blocked either by the head rule, or the last two in that group or passed by one of the pass rules. 4th, If you insert 'quick' in the head-rules, packets will be checked against the rules in that group and any subgroups. Otherwise the packet may go up the tree and be blocked by other rules. As I do not have a webserver installed and configured at the time nor a mailer daemon configured, I have not tested the www, pop3, or smtp rules yet, but I do use SSH frequently and have found that with the above ruleset enabled, I cannot get connected. The weird part is that when I open the SSH client, I get a prompt for my username, but after sending the username, my connection times out before receiving the second prompt for my password (this does not happen when I have IP Filter disabled). I believe that the line block in on vr0 from any to any head 200 is the culprit responsible for my troubles, but can't figure out why it would be a problem since I have specifically stated a pass statement for the SSH. You can also use snort to sniff on the interface while logging in, so you can see which packets are sent/received. I also realize that IP Filter is probably becoming a deprecated technology new solutions are coming into play (I'm mainly using IP Filter as a means to get my feet wet as I follow along with Lucas). However, it anyone has any suggestions as to what packet filtering technology to deploy and configure, I'm more than willing to take a look! Take a look at packet filter, for simple rule sets it is easy to migrate, you just can't use groups but have to order your rules carefully, and be sure to specify interface in all rules. Cheers, Erik -- Ph: +34.666334818 web: www.locolomo.org S/MIME Certificate: www.daemonsecurity.com/ca/8D03551FFCE04F0C.crt Subject ID: 69:79:B8:2C:E3:8F:E7:BE:5D:C3:C3:B1:74:62:B8:3F:9F:1F:69:B9 Fingerprint: 7F:80:96:EA:95:92:E2:23:1F:FA:0F:98:92:C2:CC:55:6B:9A:8C:92 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
IP Filter
Recently I acquired Michael Lucas's AbsoluteBSD. And while it was written for FreeBSD version 4.x, I figured that I would follow along with it in hopes that I could apply some of his discussed topics to my FreeBSD 6.0 setup as I began learning about the operating system and the administration of a webserver. However, upon entering the section regarding IP Filter, I have come across a couple differences and had some trouble. The differences lie with how IP Filter was implemented. Where Lucas discussed compiling IP Filter directly into the kernel, the handbook mentioned the pre-compiled version of IP Filter into the base operating system and how to enable it through rc.conf. (I have tried both and now believe that the error is not in how I enabled IP Filter, but in the rules themselves) Currently, I have FreeBSD 6.0 p7 running with the GENERIC kernel. In rc.conf, I have set the options: ipfilter_enable=YES, ipfilter_rules=/etc/ipf.rules, ipmon_enable=YES, ipmon_flags=-Ds . I then proceeded to configure /etc/ipf.rules as follows: # IP Filter Rules File # Block Garbage block in log quick from any to any with ipopts block in log quick proto tcp from any to any with short # System Loopback Interface pass in quick on lo0 all pass out quick on lo0 all # Outbound Traffic pass out on vr0 all head 100 block out from 127.0.0.0/8 to any group 100 block out from any to 127.0.0.0/8 group 100 block out from any to my.ip.address/32 group 100 # Inbound Traffic block in on vr0 from any to any head 200 block in from 127.0.0.0/8 to any group 200 block in from 192.168.254.50/32 to any group 200 pass in quick proto tcp from any to any port = www keep state group 200 pass in quick proto tcp from any to any port = pop3 keep state group 200 pass in quick proto tcp from any to any port = smtp keep state group 200 pass in quick proto tcp from any to any port = 22 keep state group 200 (have also added flags S/SA with no luck) block return-rst in log proto tcp from any to any flags S/SA group 200 block return-icmp(net-unr) in proto udp all group 200 --- As I do not have a webserver installed and configured at the time nor a mailer daemon configured, I have not tested the www, pop3, or smtp rules yet, but I do use SSH frequently and have found that with the above ruleset enabled, I cannot get connected. The weird part is that when I open the SSH client, I get a prompt for my username, but after sending the username, my connection times out before receiving the second prompt for my password (this does not happen when I have IP Filter disabled). I believe that the line block in on vr0 from any to any head 200 is the culprit responsible for my troubles, but can't figure out why it would be a problem since I have specifically stated a pass statement for the SSH. I hope that someone will be able to take a look at my ruleset and figure out what my problem is. And if at all possible, a brief explanation as to why. My whole goal with this project is to learn about the operating system and administration. =) I also realize that IP Filter is probably becoming a deprecated technology new solutions are coming into play (I'm mainly using IP Filter as a means to get my feet wet as I follow along with Lucas). However, it anyone has any suggestions as to what packet filtering technology to deploy and configure, I'm more than willing to take a look! Thanks for your time - Bradford Fisher ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: IP Filter problems on 4.11-STABLE
Erik Norgaard wrote: B H wrote: You have nat? Yes, and it's working. are you routing traffic? Yes. from where to where are you trying to connect, From the outside and in. From outside and in means from somewhere on the internet to the external interface on our fw? or to a natted server inside? To the fw, trying to ssh in and telnetting to the popserver. The outside ip is not in the range 82.182.0.0/16? you have blocked everything from that address space,, first in-rule. Yes I know. That is a bunch of ms-dos boxes running all kinds of desises. Well I reverted to 4.10-RELEASE-p22 And now all is well. Erik Bernt ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
IP Filter problems on 4.11-STABLE
Hello! I've upgrade a machine about a week ago from 4.10-p19 i belive it was. Now IPFilter does not work or is VERY slow, ssh, web and mail timesout. NAT is working like it should. # dmesg | grep 'IP Filter' IP Filter: v3.4.35 initialized. Default = pass all, Logging = enabled ipf.rules looks like this: # Let clients behind the firewall send out to the internet, and replies to # come back in by keeping state. pass out quick on fxp0 proto tcp all keep state pass out quick on fxp0 proto udp all keep state pass out quick on fxp0 proto icmp all keep state # Since nothing should be coming from these address ranges, block them block in log quick on fxp0 from 82.182.0.0/16 to any block in quick on fxp0 from 192.168.0.0/16 to any block in quick on fxp0 from 172.16.0.0/12 to any block in quick on fxp0 from 10.0.0.0/8 to any block in quick on fxp0 from 127.0.0.0/8 to any block in quick on fxp0 from 192.0.2.0/24 to any block in log quick on fxp0 from any to 10.0.0.0/32 block in log quick on fxp0 from any to 10.0.0.255/32 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: IP Filter problems on 4.11-STABLE
B H wrote: Now IPFilter does not work or is VERY slow, ssh, web and mail timesout. NAT is working like it should. # dmesg | grep 'IP Filter' IP Filter: v3.4.35 initialized. Default = pass all, Logging = enabled ipf.rules looks like this: # Let clients behind the firewall send out to the internet, and replies to # come back in by keeping state. pass out quick on fxp0 proto tcp all keep state pass out quick on fxp0 proto udp all keep state pass out quick on fxp0 proto icmp all keep state # Since nothing should be coming from these address ranges, block them block in log quick on fxp0 from 82.182.0.0/16 to any block in quick on fxp0 from 192.168.0.0/16 to any block in quick on fxp0 from 172.16.0.0/12 to any block in quick on fxp0 from 10.0.0.0/8 to any block in quick on fxp0 from 127.0.0.0/8 to any block in quick on fxp0 from 192.0.2.0/24 to any block in log quick on fxp0 from any to 10.0.0.0/32 block in log quick on fxp0 from any to 10.0.0.255/32 1st: the last two rules have no effect at all, packets are caught in the 4th in-rule. You have nat? are you routing traffic? what is your network config (ifconfig)? from where to where are you trying to connect, from the box and out? Have you tried to sniff on the interface to see what traffic is coming in and going out? ipfilter not working is good (I mean it is easier to track down), ipfilter being slow is really difficult to debug. Erik -- Ph: +34.666334818 web: www.locolomo.org S/MIME Certificate: www.daemonsecurity.com/ca/8D03551FFCE04F06.crt Subject ID: 9E:AA:18:E6:94:7A:91:44:0A:E4:DD:87:73:7F:4E:82:E7:08:9C:72 Fingerprint: 5B:D5:1E:3E:47:E7:EC:1C:4C:C8:3A:19:CC:AE:14:F5:DF:18:0F:B9 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: IP Filter problems on 4.11-STABLE
Erik Norgaard skrev: B H wrote: Now IPFilter does not work or is VERY slow, ssh, web and mail timesout. NAT is working like it should. # dmesg | grep 'IP Filter' IP Filter: v3.4.35 initialized. Default = pass all, Logging = enabled ipf.rules looks like this: # Let clients behind the firewall send out to the internet, and replies to # come back in by keeping state. pass out quick on fxp0 proto tcp all keep state pass out quick on fxp0 proto udp all keep state pass out quick on fxp0 proto icmp all keep state # Since nothing should be coming from these address ranges, block them block in log quick on fxp0 from 82.182.0.0/16 to any block in quick on fxp0 from 192.168.0.0/16 to any block in quick on fxp0 from 172.16.0.0/12 to any block in quick on fxp0 from 10.0.0.0/8 to any block in quick on fxp0 from 127.0.0.0/8 to any block in quick on fxp0 from 192.0.2.0/24 to any block in log quick on fxp0 from any to 10.0.0.0/32 block in log quick on fxp0 from any to 10.0.0.255/32 1st: the last two rules have no effect at all, packets are caught in the 4th in-rule. Yes, I see that now. You have nat? Yes, and it's working. are you routing traffic? Yes. what is your network config (ifconfig)? # ifconfig rl0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 inet 10.0.0.1 netmask 0xff00 broadcast 10.255.255.255 inet6 fe80::210:a7ff:fe0e:2ad9%rl0 prefixlen 64 scopeid 0x1 ether 00:10:a7:0e:2a:d9 media: Ethernet autoselect (100baseTX full-duplex) status: active fxp0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 inet 1.2.3.4 netmask 0xff00 broadcast 1.2.3.255 inet6 fe80::230:6eff:fe06:6990%fxp0 prefixlen 64 scopeid 0x2 ether 00:30:6e:06:69:90 media: Ethernet autoselect (100baseTX full-duplex) status: active lp0: flags=8810POINTOPOINT,SIMPLEX,MULTICAST mtu 1500 lo0: flags=8049UP,LOOPBACK,RUNNING,MULTICAST mtu 16384 inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x4 inet 127.0.0.1 netmask 0xff00 ppp0: flags=8010POINTOPOINT,MULTICAST mtu 1500 sl0: flags=c010POINTOPOINT,LINK2,MULTICAST mtu 552 faith0: flags=8002BROADCAST,MULTICAST mtu 1500 from where to where are you trying to connect, From the outside and in. Have you tried to sniff on the interface to see what traffic is coming in and going out? No. ipfilter not working is good (I mean it is easier to track down), ipfilter being slow is really difficult to debug. Erik BH ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: IP Filter problems on 4.11-STABLE
B H wrote: You have nat? Yes, and it's working. are you routing traffic? Yes. from where to where are you trying to connect, From the outside and in. From outside and in means from somewhere on the internet to the external interface on our fw? or to a natted server inside? The outside ip is not in the range 82.182.0.0/16? you have blocked everything from that address space,, first in-rule. Erik -- Ph: +34.666334818 web: www.locolomo.org S/MIME Certificate: www.daemonsecurity.com/ca/8D03551FFCE04F06.crt Subject ID: 9E:AA:18:E6:94:7A:91:44:0A:E4:DD:87:73:7F:4E:82:E7:08:9C:72 Fingerprint: 5B:D5:1E:3E:47:E7:EC:1C:4C:C8:3A:19:CC:AE:14:F5:DF:18:0F:B9 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: IP Filter problems on 4.11-STABLE
Your firewall rules are pretty much useless. Your default is to pass everything that does not match a rule. So other than those block rules everything is allowed out and in. This means your slowness problem has nothing to do with your firewall. Read the handbook for ipfilter sample rule set if you want a meaningful firewall. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of B H Sent: Wednesday, March 29, 2006 4:06 AM To: [EMAIL PROTECTED] ORG Subject: IP Filter problems on 4.11-STABLE Hello! I've upgrade a machine about a week ago from 4.10-p19 i belive it was. Now IPFilter does not work or is VERY slow, ssh, web and mail timesout. NAT is working like it should. # dmesg | grep 'IP Filter' IP Filter: v3.4.35 initialized. Default = pass all, Logging = enabled ipf.rules looks like this: # Let clients behind the firewall send out to the internet, and replies to # come back in by keeping state. pass out quick on fxp0 proto tcp all keep state pass out quick on fxp0 proto udp all keep state pass out quick on fxp0 proto icmp all keep state # Since nothing should be coming from these address ranges, block them block in log quick on fxp0 from 82.182.0.0/16 to any block in quick on fxp0 from 192.168.0.0/16 to any block in quick on fxp0 from 172.16.0.0/12 to any block in quick on fxp0 from 10.0.0.0/8 to any block in quick on fxp0 from 127.0.0.0/8 to any block in quick on fxp0 from 192.0.2.0/24 to any block in log quick on fxp0 from any to 10.0.0.0/32 block in log quick on fxp0 from any to 10.0.0.255/32 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: IP Filter problems on 4.11-STABLE
Erik Norgaard skrev: B H wrote: From outside and in means from somewhere on the internet to the external interface on our fw? Yes. or to a natted server inside? No. The outside ip is not in the range 82.182.0.0/16? you have blocked everything from that address space,, first in-rule. No, it's not in the 82-range Erik ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Help with IP Filter 4.1.8
Roman Serbski wrote: Start over with a clean /usr/src and /usr/obj tree and read the file ``/usr/src/UPDATING'' for instructions about upgrading from source. Dear Erik and Giorgos, Thanks a lot for your assistance! I just cvsuped one hour ago, build/install kernel/world and now everything is working just fine! I had probably a bad luck during first cvsup... One last question (just for curiosity). What is the procedure for _upgrading_ of ipf? I mean, since ipf is already included in the base (v4.1.8), is it possible to upgrade it to v4.1.10? The ipf source is as I understand it compiled as kernel modules or into the kernel and some administrative applications are compiled to interact with the kernel. Hence, as mentioned by Giorgos, upgrading by downloading the source from the official site should be done with care. The recommended way is as Giorgos say to update your source and go with the current version included in FreeBSD. When I suggested to look at more resent versions it was more to check the history and see if there was some bug discovered in 4.1.8 that had been corrected and could have been causing your troubles. If there are such bugs you should file a problem report. If changes are minor it may be possible to merge the newer version into the FreeBSD code, but at the cost that on next cvsup you will have to do it again unless the newer version has been adopted. If there are no such problems, don't bother to update. In such a crucial part of the system it is important to be aware of the actual benefit from upgrading. Cheers, Erik -- Ph: +34.666334818 web: http://www.locolomo.org S/MIME Certificate: http://www.locolomo.org/crt/2004071206.crt Subject ID: A9:76:7A:ED:06:95:2B:8D:48:97:CE:F2:3F:42:C8:F2:22:DE:4C:B9 Fingerprint: 4A:E8:63:38:46:F6:9A:5D:B4:DC:29:41:3F:62:D3:0A:73:25:67:C2 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Help with IP Filter 4.1.8
Roman Serbski wrote: 1) Other udp services, are responces also blocked? you can for example try ntp. If so, then it is likely a bug in ip-filter. Yes. Same for other udp (I tested with ntp). The symptoms are the same - there is a hit on a rule allowing outgoing ntp, but then reply is blocked. It should be possible to capture on the interface in promiscuous mode. (I recall an article on SecurityFocus considering this as a security hole as it actually allows you to circumvent the firewall). Cheers, Erik ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Help with IP Filter 4.1.8
On 2006-03-10 09:44, Roman Serbski [EMAIL PROTECTED] wrote: 3) try to see if you can upgrade to a newer ipfilter, latest is v4.1.10 I will try that, although I have faced with the problem while upgrading to v4.1.10. According to ipf docs (INSTALL.FreeBSD): To build a kernel with the IP filter, follow these steps: make freebsd5 - went successfully make install-bsd - went successfully FreeBSD/kinstall - generated patch error about conf.c file not being found... Here's your problem then. This is *NOT* the way to install IP Filter on a FreeBSD system. You should only upgrade parts of the base system using the process documented and recommended in ``/usr/src/UPDATING''. Start over with a clean /usr/src and /usr/obj tree and read the file ``/usr/src/UPDATING'' for instructions about upgrading from source. - Giorgos ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Help with IP Filter 4.1.8
On 3/10/06, Giorgos Keramidas [EMAIL PROTECTED] wrote: Here's your problem then. This is *NOT* the way to install IP Filter on a FreeBSD system. You should only upgrade parts of the base system using the process documented and recommended in ``/usr/src/UPDATING''. Start over with a clean /usr/src and /usr/obj tree and read the file ``/usr/src/UPDATING'' for instructions about upgrading from source. Dear Erik and Giorgos, Thanks a lot for your assistance! I just cvsuped one hour ago, build/install kernel/world and now everything is working just fine! I had probably a bad luck during first cvsup... One last question (just for curiosity). What is the procedure for _upgrading_ of ipf? I mean, since ipf is already included in the base (v4.1.8), is it possible to upgrade it to v4.1.10? Thank you once again and have a nice day! ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Help with IP Filter 4.1.8
Hello Erik. Thank you for your help. Ok, here are some things to try: 1) Other udp services, are responces also blocked? you can for example try ntp. If so, then it is likely a bug in ip-filter. Yes. Same for other udp (I tested with ntp). The symptoms are the same - there is a hit on a rule allowing outgoing ntp, but then reply is blocked. 2) Try using snort or tcpdump to capture the blocked packet and analyse if it is malformed. Possibly include such a packet with your next post. I can collect tcpdump data only if I disable ipf or configure it to 'pass in/out all'. If I turn on my ruleset I don't see any data from tcpdump. Running 'tcpdump -vvv -i xl0' generates a message that tcpdump is listening on xl0 but no data is captured... 3) try to see if you can upgrade to a newer ipfilter, latest is v4.1.10 I will try that, although I have faced with the problem while upgrading to v4.1.10. According to ipf docs (INSTALL.FreeBSD): To build a kernel with the IP filter, follow these steps: make freebsd5 - went successfully make install-bsd - went successfully FreeBSD/kinstall - generated patch error about conf.c file not being found... Thank you. Roman ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Help with IP Filter 4.1.8
Roman Serbski wrote: My ruleset consists of only 6 rules: pass out quick on lo0 from any to any pass out quick on xl0 proto tcp from any to any port = domain flags S/FSRPAU keep state pass out quick on xl0 proto udp from any to any port = domain keep state block out log quick on xl0 all pass in quick on lo0 from any to any block in quick on xl0 all Your rules look ok, this is a strange problem. The rule # 2 which was blocking reply from DNS server is 'block in quick on xl0 all'. Adding 'log' keyword to the rule allowing outgoing 53/udp gives the following: xl0 @0:3 p YYY.YYY.YYY.YYY,50359 - XXX.XXX.XXX.XXX,53 PR udp len 20 57 K-S OUT So outgoing 53/udp was successfully passed through, but incoming reply was blocked again: xl0 @0:2 b XXX.XXX.XXX.XXX,53 - YYY.YYY.YYY.YYY,50359 PR udp len 20 298 IN bad Yes, I also tried another DNS server - same results. ok I think this is more ipf issue, so I'll try to ask for assistance in ipf maling list, I was just thinking if someone else has faced with the similar problem during upgrade from ipf v3.4.35 to v4.1.8. Ok, here are some things to try: 1) Other udp services, are responces also blocked? you can for example try ntp. If so, then it is likely a bug in ip-filter. else, 2) Try using snort or tcpdump to capture the blocked packet and analyse if it is malformed. Possibly include such a packet with your next post. else 3) try to see if you can upgrade to a newer ipfilter, latest is v4.1.10 Cheers, Erik -- Ph: +34.666334818 web: www.locolomo.org S/MIME Certificate: www.daemonsecurity.com/ca/8D03551FFCE04F06.crt Subject ID: 9E:AA:18:E6:94:7A:91:44:0A:E4:DD:87:73:7F:4E:82:E7:08:9C:72 Fingerprint: 5B:D5:1E:3E:47:E7:EC:1C:4C:C8:3A:19:CC:AE:14:F5:DF:18:0F:B9 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Help with IP Filter 4.1.8
On 2/26/06, Donald J. O'Neill [EMAIL PROTECTED] wrote: I don't see anything in the OP's message that requires kernel debugging. Just some advice that he should check to see what changes have been made to ipf v4.1.8 as compared to v3.4.35 and how they affect rules. Thank you Don. Exactly. I can only guess that there were some changes in ipf, and I was not able to track what was actually changed to adjust my v3.4.XX ruleset to v4.1.8. Regards, Roman ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Help with IP Filter 4.1.8
On 2/27/06, Erik Nørgaard [EMAIL PROTECTED] wrote: Could you change your last rule to this: block in log quick on xl0 all and then tell what you see in the log. This would give some information if any traffic is blocked in the first place. Actually, adding the log keyword to all rules for the xl0 interface might be a good idea for debugging. Also, is this the complete ruleset or did you remove rules you thought were irrelevant? If so, then post the whole ruleset. Thank you. I removed 'flags' as it was suggested by Giorgos Keramidas but it didn't help. This is not the complete ruleset, I mean there are a lot of other rules, but I removed everything to be sure and left only outgoing 53/udp, 53/tcp. Once again, I checked this ruleset on 5.3-STABLE with ipf v3.4.35 (336) and it worked good. Adding the 'log' keyword produced the following record: xl0 @0:2 b XXX.XXX.XXX.XXX,53 - YYY.YYY.YYY.YYY,60808 PR udp len 20 298 IN bad where XXX - is IP address of DNS server of ISP, and YYY is the server I'm running ipf on. There was a hit on a rule allowing outgoing 53/udp and it seems like the response from DNS server was blocked. Outgoing port number returned by YYY is always changing - on a second run it was 51212. Of course I can allow incoming connections to ports 1024, but I really would like to understand why it was working with ipf v3.4.35 and not with v4.1.8. Once again, thank you all for your help. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Help with IP Filter 4.1.8
On 2006-02-27 18:48, Roman Serbski [EMAIL PROTECTED] wrote: On 2/27/06, Erik N?rgaard [EMAIL PROTECTED] wrote: Could you change your last rule to this: block in log quick on xl0 all and then tell what you see in the log. This would give some information if any traffic is blocked in the first place. Actually, adding the log keyword to all rules for the xl0 interface might be a good idea for debugging. Also, is this the complete ruleset or did you remove rules you thought were irrelevant? If so, then post the whole ruleset. Thank you. I removed 'flags' as it was suggested by Giorgos Keramidas but it didn't help. This is not the complete ruleset, I mean there are a lot of other rules, but I removed everything to be sure and left only outgoing 53/udp, 53/tcp. Once again, I checked this ruleset on 5.3-STABLE with ipf v3.4.35 (336) and it worked good. Adding the 'log' keyword produced the following record: xl0 @0:2 b XXX.XXX.XXX.XXX,53 - YYY.YYY.YYY.YYY,60808 PR udp len 20 298 IN bad where XXX - is IP address of DNS server of ISP, and YYY is the server I'm running ipf on. There was a hit on a rule allowing outgoing 53/udp and it seems like the response from DNS server was blocked. Outgoing port number returned by YYY is always changing - on a second run it was 51212. Of course I can allow incoming connections to ports 1024, but I really would like to understand why it was working with ipf v3.4.35 and not with v4.1.8. Once again, thank you all for your help. It looks like the stateful rule didn't succeed in creating a state for the outgoing UDP packet: pass out quick on lo0 from any to any pass out quick on xl0 proto tcp from any to any port = domain flags S/FSRPAU keep state = pass out quick on xl0 proto udp from any to any port = domain keep state block out log quick on xl0 all I'm not sure why this would happen though. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Help with IP Filter 4.1.8
On 2006-02-27 16:50, Giorgos Keramidas [EMAIL PROTECTED] wrote: It looks like the stateful rule didn't succeed in creating a state for the outgoing UDP packet: pass out quick on lo0 from any to any pass out quick on xl0 proto tcp from any to any port = domain flags S/FSRPAU keep state = pass out quick on xl0 proto udp from any to any port = domain keep state block out log quick on xl0 all I'm not sure why this would happen though. One reason why this could fail is that the xl0 interface is not part of the route to your ISP's DNS servers. How many interfaces does the system have? Is xl0 in the path to your ISP's router? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Help with IP Filter 4.1.8
On 2/27/06, Giorgos Keramidas [EMAIL PROTECTED] wrote: One reason why this could fail is that the xl0 interface is not part of the route to your ISP's DNS servers. How many interfaces does the system have? Is xl0 in the path to your ISP's router? There are two interfaces - xl0 and xl1 with no cable connected to xl1. gateway_enable is not defined in rc.conf so is off. I can successfully access ISP's DNS both if I disable ipf or configure ifp to 'pass in all'. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Help with IP Filter 4.1.8
Roman Serbski wrote: Adding the 'log' keyword produced the following record: xl0 @0:2 b XXX.XXX.XXX.XXX,53 - YYY.YYY.YYY.YYY,60808 PR udp len 20 298 IN bad read this line: This tells you where the packet is blocked. IIRC @0:2 means group 0 (you don't use groups) and 2 should be the second rule. If you list the ruleset with ipfstat -n that should give you rules with the same labeling. Also, add log keyword to your outgoing rule, to see that it is actually there the decision is made. You could have some default pass that does not create the state. I know that you've checked and rechecked - but it is really helpful for us to have the whole ruleset. If you like, change your ip's to x.x.x.x (but keep different ips different). Cheers, Erik -- Ph: +34.666334818 web: www.locolomo.org S/MIME Certificate: www.daemonsecurity.com/ca/8D03551FFCE04F06.crt Subject ID: 9E:AA:18:E6:94:7A:91:44:0A:E4:DD:87:73:7F:4E:82:E7:08:9C:72 Fingerprint: 5B:D5:1E:3E:47:E7:EC:1C:4C:C8:3A:19:CC:AE:14:F5:DF:18:0F:B9 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Help with IP Filter 4.1.8
Roman Serbski wrote: xl0 @0:2 b XXX.XXX.XXX.XXX,53 - YYY.YYY.YYY.YYY,60808 PR udp len 20 298 IN bad Just looking again on this line, see at the end? bad could be that the response is malformed and therefore discarded. could be that ipf is less tolerant in the newer version. Try to use a different name server. Cheers, Erik -- Ph: +34.666334818 web: www.locolomo.org S/MIME Certificate: www.daemonsecurity.com/ca/8D03551FFCE04F06.crt Subject ID: 9E:AA:18:E6:94:7A:91:44:0A:E4:DD:87:73:7F:4E:82:E7:08:9C:72 Fingerprint: 5B:D5:1E:3E:47:E7:EC:1C:4C:C8:3A:19:CC:AE:14:F5:DF:18:0F:B9 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Help with IP Filter 4.1.8
On 2/27/06, Erik Norgaard [EMAIL PROTECTED] wrote: read this line: This tells you where the packet is blocked. IIRC @0:2 means group 0 (you don't use groups) and 2 should be the second rule. If you list the ruleset with ipfstat -n that should give you rules with the same labeling. Also, add log keyword to your outgoing rule, to see that it is actually there the decision is made. You could have some default pass that does not create the state. I know that you've checked and rechecked - but it is really helpful for us to have the whole ruleset. If you like, change your ip's to x.x.x.x (but keep different ips different). Hello Erik, My ruleset consists of only 6 rules: pass out quick on lo0 from any to any pass out quick on xl0 proto tcp from any to any port = domain flags S/FSRPAU keep state pass out quick on xl0 proto udp from any to any port = domain keep state block out log quick on xl0 all pass in quick on lo0 from any to any block in quick on xl0 all The rule # 2 which was blocking reply from DNS server is 'block in quick on xl0 all'. Adding 'log' keyword to the rule allowing outgoing 53/udp gives the following: xl0 @0:3 p YYY.YYY.YYY.YYY,50359 - XXX.XXX.XXX.XXX,53 PR udp len 20 57 K-S OUT So outgoing 53/udp was successfully passed through, but incoming reply was blocked again: xl0 @0:2 b XXX.XXX.XXX.XXX,53 - YYY.YYY.YYY.YYY,50359 PR udp len 20 298 IN bad Yes, I also tried another DNS server - same results. I think this is more ipf issue, so I'll try to ask for assistance in ipf maling list, I was just thinking if someone else has faced with the similar problem during upgrade from ipf v3.4.35 to v4.1.8. Thank you. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Help with IP Filter 4.1.8
Hi all, I am having a problem with ipf after recent upgrade to 6.1-PRERELEASE. Any help would be greatly appreciated. ipf: IP Filter: v4.1.8 (416) Kernel: IP Filter: v4.1.8 Running: yes Log Flags: 0 = none set Default: pass all, Logging: available Active list: 0 Feature mask: 0xa I am trying to allow outgoing dns requests from my server to DNS server of ISP. Here is my ruleset: ipfstat -oh 0 pass out quick on lo0 from any to any 0 pass out quick on xl0 proto tcp from any to any port = domain flags S/FSRPAU keep state 1 pass out quick on xl0 proto udp from any to any port = domain keep state 0 block out log quick on xl0 all ipfstat -ih 0 pass in quick on lo0 from any to any 0 block in quick on xl0 all I tried `host www.google.com` and the connection was timed out, although there was a hit on a rule allowing 53/udp. The interesting thing is that there is another server running 5.3-STABLE with ipf v3.4.35 (336) and it has the same ruleset and everything is working just fine. Thank you for your time. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: Help with IP Filter 4.1.8
Since you say the same ipf rules work on your 5.3 system and you are trying to run them on 6.1-PRERELEASE, I would say the problem is 6.1-PRERELEASE. Prereleases versions and RC version are not intended for public use. They are version for people who know how to debug kernel code and help the developers test new version. It does not look like you know how to debug kernel code or you would not be asking this question. You should be using 6.0 as that's the current production version. If you still have this problem on 6.0 then repost your question. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Roman Serbski Sent: Sunday, February 26, 2006 10:16 AM To: freebsd-questions@freebsd.org Subject: Help with IP Filter 4.1.8 Hi all, I am having a problem with ipf after recent upgrade to 6.1-PRERELEASE. Any help would be greatly appreciated. ipf: IP Filter: v4.1.8 (416) Kernel: IP Filter: v4.1.8 Running: yes Log Flags: 0 = none set Default: pass all, Logging: available Active list: 0 Feature mask: 0xa I am trying to allow outgoing dns requests from my server to DNS server of ISP. Here is my ruleset: ipfstat -oh 0 pass out quick on lo0 from any to any 0 pass out quick on xl0 proto tcp from any to any port = domain flags S/FSRPAU keep state 1 pass out quick on xl0 proto udp from any to any port = domain keep state 0 block out log quick on xl0 all ipfstat -ih 0 pass in quick on lo0 from any to any 0 block in quick on xl0 all I tried `host www.google.com` and the connection was timed out, although there was a hit on a rule allowing 53/udp. The interesting thing is that there is another server running 5.3-STABLE with ipf v3.4.35 (336) and it has the same ruleset and everything is working just fine. Thank you for your time. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Help with IP Filter 4.1.8
On Sunday 26 February 2006 11:19, fbsd_user wrote: Since you say the same ipf rules work on your 5.3 system and you are trying to run them on 6.1-PRERELEASE, I would say the problem is 6.1-PRERELEASE. Prereleases versions and RC version are not intended for public use. They are version for people who know how to debug kernel code and help the developers test new version. It does not look like you know how to debug kernel code or you would not be asking this question. You should be using 6.0 as that's the current production version. If you still have this problem on 6.0 then repost your question. Hi all, I am having a problem with ipf after recent upgrade to 6.1-PRERELEASE. Any help would be greatly appreciated. ipf: IP Filter: v4.1.8 (416) Kernel: IP Filter: v4.1.8 Running: yes Log Flags: 0 = none set Default: pass all, Logging: available Active list: 0 Feature mask: 0xa I am trying to allow outgoing dns requests from my server to DNS server of ISP. Here is my ruleset: ipfstat -oh 0 pass out quick on lo0 from any to any 0 pass out quick on xl0 proto tcp from any to any port = domain flags S/FSRPAU keep state 1 pass out quick on xl0 proto udp from any to any port = domain keep state 0 block out log quick on xl0 all ipfstat -ih 0 pass in quick on lo0 from any to any 0 block in quick on xl0 all I tried `host www.google.com` and the connection was timed out, although there was a hit on a rule allowing 53/udp. The interesting thing is that there is another server running 5.3-STABLE with ipf v3.4.35 (336) and it has the same ruleset and everything is working just fine. Thank you for your time. ___ If you're not going to give any better advice than this, why did you give it all? I don't see anything in the OP's message that requires kernel debugging. Just some advice that he should check to see what changes have been made to ipf v4.1.8 as compared to v3.4.35 and how they affect rules. Don ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Help with IP Filter 4.1.8
Roman Serbski wrote: Hi all, I am having a problem with ipf after recent upgrade to 6.1-PRERELEASE. Any help would be greatly appreciated. ipf: IP Filter: v4.1.8 (416) Kernel: IP Filter: v4.1.8 Running: yes Log Flags: 0 = none set Default: pass all, Logging: available Active list: 0 Feature mask: 0xa I am trying to allow outgoing dns requests from my server to DNS server of ISP. Here is my ruleset: ipfstat -oh 0 pass out quick on lo0 from any to any 0 pass out quick on xl0 proto tcp from any to any port = domain flags S/FSRPAU keep state 1 pass out quick on xl0 proto udp from any to any port = domain keep state 0 block out log quick on xl0 all ipfstat -ih 0 pass in quick on lo0 from any to any 0 block in quick on xl0 all Could you change your last rule to this: block in log quick on xl0 all and then tell what you see in the log. This would give some information if any traffic is blocked in the first place. Actually, adding the log keyword to all rules for the xl0 interface might be a good idea for debugging. Also, is this the complete ruleset or did you remove rules you thought were irrelevant? If so, then post the whole ruleset. Cheers, Erik -- Ph: +34.666334818 web: http://www.locolomo.org S/MIME Certificate: http://www.locolomo.org/crt/2004071206.crt Subject ID: A9:76:7A:ED:06:95:2B:8D:48:97:CE:F2:3F:42:C8:F2:22:DE:4C:B9 Fingerprint: 4A:E8:63:38:46:F6:9A:5D:B4:DC:29:41:3F:62:D3:0A:73:25:67:C2 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Help with IP Filter 4.1.8
On 2006-02-26 20:15, Roman Serbski [EMAIL PROTECTED] wrote: Hi all, I am having a problem with ipf after recent upgrade to 6.1-PRERELEASE. Any help would be greatly appreciated. ipf: IP Filter: v4.1.8 (416) Kernel: IP Filter: v4.1.8 Running: yes Log Flags: 0 = none set Default: pass all, Logging: available Active list: 0 Feature mask: 0xa I am trying to allow outgoing dns requests from my server to DNS server of ISP. Here is my ruleset: # ipfstat -oh 0 pass out quick on lo0 from any to any 0 pass out quick on xl0 proto tcp from any to any port = domain flags S/FSRPAU keep state 1 pass out quick on xl0 proto udp from any to any port = domain keep state 0 block out log quick on xl0 all This part seems ok. I'd probably try without the ``flags S/FSRPAU'' part, but that's relatively harmless. # ipfstat -ih 0 pass in quick on lo0 from any to any 0 block in quick on xl0 all This part seems a bit paranoid, but relatively ok too. I tried `host www.google.com` and the connection was timed out, although there was a hit on a rule allowing 53/udp. The interesting thing is that there is another server running 5.3-STABLE with ipf v3.4.35 (336) and it has the same ruleset and everything is working just fine. When you're having problems with IP Filter rules, it's always a good idea to `log' the blocking rules. Can you try the following two things? a) Remove the `flags' part of the stateful rule. b) Add a `log' keyword to the input blocking rule. The rulesets for these two cases would be: # Ruleset 1. pass out quick on lo0 from any to any pass out quick on xl0 proto tcp from any to any port = domain keep state pass out quick on xl0 proto udp from any to any port = domain keep state block out log quick on xl0 all pass in quick on lo0 from any to any block in quick on xl0 all # Ruleset 2. pass out quick on lo0 from any to any pass out quick on xl0 proto tcp from any to any port = domain keep state pass out quick on xl0 proto udp from any to any port = domain keep state block out log quick on xl0 all pass in quick on lo0 from any to any block in log quick on xl0 all When you install the logging final rule, please check your system logs for blocked packets. Then you'll have an idea why something is blocked, what was blocked, etc. Post the ipfilter log messages as a followup to this thread, and we'll try to track down the problem the current ruleset has. - Giorgos ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Help with IP Filter 4.1.8
On 2006-02-26 12:19, fbsd_user [EMAIL PROTECTED] wrote: Since you say the same ipf rules work on your 5.3 system and you are trying to run them on 6.1-PRERELEASE, I would say the problem is 6.1-PRERELEASE. No, that's false. Prereleases versions and RC version are not intended for public use. They are version for people who know how to debug kernel code and help the developers test new version. You are confused. In FreeBSD, prerelease versions come from the HEAD of the STABLE branch. They are as stable as the rest of the RELENG_6 branch. It does not look like you know how to debug kernel code or you would not be asking this question. This is not a problem with kernel code, until we have significant evidence that points to this direction. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
IP Filter Issues in 4.11
Dear List, I just upgraded a couple of my machines from 4.9 release to 4.11 release, and now I am finding some issues with IP Filters. this is the output of ipf -V: ipf: IP Filter: v3.4.35 (336) Kernel: IP Filter: v3.4.35 Some of the issues I am having are: Before this set of rules worked fine: head/group 10 block out log quick on fxp0 all head 10 pass out quick on fxp0 proto tcp from any to any keep state group 10 pass out quick on fxp0 proto udp from any to any keep state group 10 pass out quick on fxp0 proto icmp from any to any keep state group 10 Now in order to be able to make that machine pingable I have to: pass out quick on fxp0 -- UDP also behaves in a similar way, only TCP works fine. I wonder if somebody has experienced something similar? Regards Mario Antonio --- [This e-mail was scanned for viruses by Webjogger's AntiVirus Protection System] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: IP Filter changes in FreeBSD
On Mon, Feb 07, 2005 at 02:46:50PM -0500, Jim Arnold wrote: On Mon, Feb 07, 2005 at 11:08:54AM -0500, Jim Arnold wrote: If you don't have it in your kernel, the module will be loaded at boot time if it's available. If you don't have the module either, you can't use ipfilter. I must have been using the module with 4.7 stable since I did not have that in the kernel I was running with 4.7. After I upgraded to 4.11 and IPF was not working I edited my kernel config file to uncomment the lines for IPF and then compiled the new kernel. I still don't have an answer why this happened. Was the module taken out of 4.11 or an earlier version on FreeBSD? No, it's still there as long as you build modules. If you have NO_MODULES in your make.conf, you won't, of course. Kris Attachment converted: osx:Untitled 3599 (/) (000B9F03) I'm using the same /etc/make.conf file when I first put this box online in 2002. In that make.conf file the line is commented out: #NO_MODULES=true# do not build modules with the kernel But the question for me is still, how did this work in 4.7 if the above was commented out in my /etc/make.conf file and I did not have these uncommented in my kernel config file when I built my custom kernel for 4.7? I'd be interested to see if manually loading the module with kldload with the original kernel works. If it does then maybe you're missing something from rc.conf that tells freebsd to load the module. With FreeBSD 5.3, all I need is ipfilter_enable=YES to have it auto-load the module and start ipfilter, but there might be something more for 4.x options IPFILTER options IPFILTER_LOG Thanks, Jim ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] -- I sense much NT in you. NT leads to Bluescreen. Bluescreen leads to downtime. Downtime leads to suffering. NT is the path to the darkside. Powerful Unix is. Public Key: ftp://ftp.tallye.com/pub/lorenl_pubkey.asc Fingerprint: B3B9 D669 69C9 09EC 1BCD 835A FAF3 7A46 E4A3 280C ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: IP Filter changes in FreeBSD
On Mon, Feb 07, 2005 at 12:24:09AM -0500, Jim Arnold wrote: I updated my firewall that is using IPF. I went from FreeBSD 4.7 stable to 4.11 stable. When using 4.7 stable I only had this is my rc.conf file: ipfilter_enable=YES ipfilter_program=/sbin/ipf ipfilter_rules=/etc/ipf.conf ipfilter_flags= When I went to 4.11 stable I had to uncomment these options in my kernel config file: options IPFILTER options IPFILTER_LOG I'm just curious why it worked without the above options in my kernel for 4.7 and I had to have them in 4.11? If you don't have it in your kernel, the module will be loaded at boot time if it's available. If you don't have the module either, you can't use ipfilter. I must have been using the module with 4.7 stable since I did not have that in the kernel I was running with 4.7. After I upgraded to 4.11 and IPF was not working I edited my kernel config file to uncomment the lines for IPF and then compiled the new kernel. I still don't have an answer why this happened. Was the module taken out of 4.11 or an earlier version on FreeBSD? I'm just curious as a learning experience what went on in my situation. Thanks, Jim ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: IP Filter changes in FreeBSD
On Mon, Feb 07, 2005 at 11:08:54AM -0500, Jim Arnold wrote: If you don't have it in your kernel, the module will be loaded at boot time if it's available. If you don't have the module either, you can't use ipfilter. I must have been using the module with 4.7 stable since I did not have that in the kernel I was running with 4.7. After I upgraded to 4.11 and IPF was not working I edited my kernel config file to uncomment the lines for IPF and then compiled the new kernel. I still don't have an answer why this happened. Was the module taken out of 4.11 or an earlier version on FreeBSD? No, it's still there as long as you build modules. If you have NO_MODULES in your make.conf, you won't, of course. Kris pgpO2G6Zeff7w.pgp Description: PGP signature
Re: IP Filter changes in FreeBSD
On Mon, Feb 07, 2005 at 11:08:54AM -0500, Jim Arnold wrote: If you don't have it in your kernel, the module will be loaded at boot time if it's available. If you don't have the module either, you can't use ipfilter. I must have been using the module with 4.7 stable since I did not have that in the kernel I was running with 4.7. After I upgraded to 4.11 and IPF was not working I edited my kernel config file to uncomment the lines for IPF and then compiled the new kernel. I still don't have an answer why this happened. Was the module taken out of 4.11 or an earlier version on FreeBSD? No, it's still there as long as you build modules. If you have NO_MODULES in your make.conf, you won't, of course. Kris Attachment converted: osx:Untitled 3599 (/) (000B9F03) I'm using the same /etc/make.conf file when I first put this box online in 2002. In that make.conf file the line is commented out: #NO_MODULES=true# do not build modules with the kernel But the question for me is still, how did this work in 4.7 if the above was commented out in my /etc/make.conf file and I did not have these uncommented in my kernel config file when I built my custom kernel for 4.7? options IPFILTER options IPFILTER_LOG Thanks, Jim ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
IP Filter changes in FreeBSD
I updated my firewall that is using IPF. I went from FreeBSD 4.7 stable to 4.11 stable. When using 4.7 stable I only had this is my rc.conf file: ipfilter_enable=YES ipfilter_program=/sbin/ipf ipfilter_rules=/etc/ipf.conf ipfilter_flags= When I went to 4.11 stable I had to uncomment these options in my kernel config file: options IPFILTER options IPFILTER_LOG I'm just curious why it worked without the above options in my kernel for 4.7 and I had to have them in 4.11? Thanks, Jim ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: IP Filter changes in FreeBSD
On Mon, Feb 07, 2005 at 12:24:09AM -0500, Jim Arnold wrote: I updated my firewall that is using IPF. I went from FreeBSD 4.7 stable to 4.11 stable. When using 4.7 stable I only had this is my rc.conf file: ipfilter_enable=YES ipfilter_program=/sbin/ipf ipfilter_rules=/etc/ipf.conf ipfilter_flags= When I went to 4.11 stable I had to uncomment these options in my kernel config file: options IPFILTER options IPFILTER_LOG I'm just curious why it worked without the above options in my kernel for 4.7 and I had to have them in 4.11? If you don't have it in your kernel, the module will be loaded at boot time if it's available. If you don't have the module either, you can't use ipfilter. Kris pgpzG1ojd4edu.pgp Description: PGP signature
Re: IP Filter on FreeBSD 5.2.1
On Tue, Sep 07, 2004 at 05:50:59PM -0400, Paul Mather wrote: 20030925: Configuring a system to use IPFILTER now requires that PFIL_HOOKS also be explicitly configured. Previously this dependency was magically handled through some cruft in net/pfil.h; but that has been removed. Building a kernel with IPFILTER but not PFIL_HOOKS will fail with obtuse errors in ip_fil.c. (It's a good idea to look in /usr/src/UPDATING before updating your system.) Fair enough - to a point. I only look for things that apply to my system when reading UPDATING... things that have changed since my last update. In september 2003, I wouldn't have read the ipfilter related stuff, because I wasn't using ipfilter at that time. When I do the update now, I just look for changes since my last update, which won't go back to 2003, so again I won't see that ipfilter entry. Then I go looking on the web for a HOWTO to install ipfilter on FreeBSD 5.2.1 - which I found, but it didn't mention this. I'm sure someone won't mind including a single line in a howto because that then turns it into a definitive reference, that doesn't require referencing twoo locations. Regards, -- Wayne Pascoe(gpg --keyserver www.co.uk.pgp.net --recv-keys 79A7C870) It could be dangerous... A lot of killing... and violence. You wanna come? ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: IP Filter on FreeBSD 5.2.1
On Wed, 2004-09-08 at 02:12, Wayne Pascoe wrote: On Tue, Sep 07, 2004 at 05:50:59PM -0400, Paul Mather wrote: 20030925: Configuring a system to use IPFILTER now requires that PFIL_HOOKS also be explicitly configured. Previously this dependency was magically handled through some cruft in net/pfil.h; but that has been removed. Building a kernel with IPFILTER but not PFIL_HOOKS will fail with obtuse errors in ip_fil.c. (It's a good idea to look in /usr/src/UPDATING before updating your system.) Fair enough - to a point. I only look for things that apply to my system when reading UPDATING... things that have changed since my last update. In september 2003, I wouldn't have read the ipfilter related stuff, because I wasn't using ipfilter at that time. But it's always a good rule of thumb that when faced with a kernel/world build failure to go back and take a closer look through UPDATING for something you might have missed. It could be argued that this would also apply if you were enabling a feature (or adding a piece of hardware) not previously used before. I'm sure someone won't mind including a single line in a howto because that then turns it into a definitive reference, that doesn't require referencing twoo locations. I believe I misunderstood your original posting. I'd thought you were going to apprise the FreeBSD developer responsible for ipfilter that people should be told they needed the PFIL_HOOKS option. From the above, it appears it's the howto author that is the intended recipient. Mea culpa! The unfortunate thing about definitive references, though, is that when push comes to shove, UPDATING will take precedence. In the case of PFIL_HOOKS, it has vanished as an option under 6.0-CURRENT (though it was present for a while, IIRC)... Cheers, Paul. -- e-mail: [EMAIL PROTECTED] Without music to decorate it, time is just a bunch of boring production deadlines or dates by which bills must be paid. --- Frank Vincent Zappa ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
IP Filter on FreeBSD 5.2.1
Hi all, I'm trying to get ipfilter working with FreeBSD 5.2.1. I did a cvsup using the tag RELENG_5_2 night before last. Today I did make world (which succeeded) and then tried to build my kernel. Before doing the make kernel, I edited my kernel configuration file and added the following lines: # IPFilter stuf options IPFILTER options IPFILTER_LOG I then did make kernel KERNCONF=MYKERNEL After a while, that dies with the error at the bottom of this message. Can anyone advise me what is going wrong and how I can fix this ? Thanks in advance, ERROR MESSAGE - LINES LONGER THAN 72 CHARS FOLLOW cc -c -O -pipe -march=pentiumpro -Wall -Wredundant-decls -Wnested-externs -Wstrict-prototypes -Wmissing-prototypes -Wpointer-arith -Winline -Wcast-qual -fformat-extensions -std=c99 -nostdinc -I- -I. -I/usr/src/sys -I/usr/src/sys/contrib/dev/acpica -I/usr/src/sys/contrib/ipfilter -I/usr/src/sys/contrib/dev/ath -I/usr/src/sys/contrib/dev/ath/freebsd -I/usr/src/sys/contrib/ngatm -D_KERNEL -include opt_global.h -fno-common -finline-limit=15000 -fno-strict-aliasing -mno-align-long-strings -mpreferred-stack-boundary=2 -ffreestanding -Werror /usr/src/sys/contrib/ipfilter/netinet/ip_fil.c /usr/src/sys/contrib/ipfilter/netinet/ip_fil.c: In function `fr_check_wrapper': /usr/src/sys/contrib/ipfilter/netinet/ip_fil.c:319: error: `PFIL_OUT' undeclared (first use in this function) /usr/src/sys/contrib/ipfilter/netinet/ip_fil.c:319: error: (Each undeclared identifier is reported only once /usr/src/sys/contrib/ipfilter/netinet/ip_fil.c:319: error: for each function it appears in.) /usr/src/sys/contrib/ipfilter/netinet/ip_fil.c: In function `fr_check_wrapper6': /usr/src/sys/contrib/ipfilter/netinet/ip_fil.c:329: error: `PFIL_OUT' undeclared (first use in this function) /usr/src/sys/contrib/ipfilter/netinet/ip_fil.c: In function `iplattach': /usr/src/sys/contrib/ipfilter/netinet/ip_fil.c:376: warning: unused variable `ph_inet' /usr/src/sys/contrib/ipfilter/netinet/ip_fil.c:378: warning: unused variable `ph_inet6' /usr/src/sys/contrib/ipfilter/netinet/ip_fil.c: At top level: /usr/src/sys/contrib/ipfilter/netinet/ip_fil.c:317: warning: `fr_check_wrapper' defined but not used /usr/src/sys/contrib/ipfilter/netinet/ip_fil.c:327: warning: `fr_check_wrapper6' defined but not used *** Error code 1 Stop in /usr/obj/usr/src/sys/WTP. *** Error code 1 END OF ERROR MESSAGE -- Wayne Pascoe(gpg --keyserver www.co.uk.pgp.net --recv-keys 79A7C870) Mary had a crypto key, she kept it in escrow, and everything that Mary said, the Feds were sure to know. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: IP Filter on FreeBSD 5.2.1
Hi Wayne, Wayne Pascoe wrote: After a while, that dies with the error at the bottom of this message. Can anyone advise me what is going wrong and how I can fix this ? Thanks in advance, ERROR MESSAGE - LINES LONGER THAN 72 CHARS FOLLOW cc -c -O -pipe -march=pentiumpro -Wall -Wredundant-decls -Wnested-externs -Wstrict-prototypes -Wmissing-prototypes -Wpointer-arith -Winline -Wcast-qual -fformat-extensions -std=c99 -nostdinc -I- -I. -I/usr/src/sys -I/usr/src/sys/contrib/dev/acpica -I/usr/src/sys/contrib/ipfilter -I/usr/src/sys/contrib/dev/ath -I/usr/src/sys/contrib/dev/ath/freebsd -I/usr/src/sys/contrib/ngatm -D_KERNEL -include opt_global.h -fno-common -finline-limit=15000 -fno-strict-aliasing -mno-align-long-strings -mpreferred-stack-boundary=2 -ffreestanding -Werror /usr/src/sys/contrib/ipfilter/netinet/ip_fil.c /usr/src/sys/contrib/ipfilter/netinet/ip_fil.c: In function `fr_check_wrapper': I think you missed this option: options PFIL_HOOKS # pfil(9) framework in your kernel config file.. Try it and see it's magic ;) -- Kind regards, Remko Lodder |[EMAIL PROTECTED] Reporter DSINet|[EMAIL PROTECTED] Projectleader Mostly-Harmless |[EMAIL PROTECTED] ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: IP Filter on FreeBSD 5.2.1
On Tue, Sep 07, 2004 at 08:07:34PM +0200, Remko Lodder wrote: I think you missed this option: options PFIL_HOOKS # pfil(9) framework in your kernel config file.. Try it and see it's magic ;) Thanks a bunch - that did the trick. I've checked the doc I used to do this, and it wasn't mentioned. I'll submit something to the maintainer tomorrow. Now I just have to find some useful sample rulesets. It's been about 18 months since I touched ipfilter, and things seem to have changed a little :) -- Wayne Pascoe(gpg --keyserver www.co.uk.pgp.net --recv-keys 79A7C870) If there's anything more important than my ego around, I want it caught and shot now! ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: IP Filter on FreeBSD 5.2.1
On Tuesday 07 September 2004 02:12 pm, Wayne Pascoe wrote: On Tue, Sep 07, 2004 at 08:07:34PM +0200, Remko Lodder wrote: I think you missed this option: options PFIL_HOOKS # pfil(9) framework in your kernel config file.. Try it and see it's magic ;) Thanks a bunch - that did the trick. I've checked the doc I used to do this, and it wasn't mentioned. I'll submit something to the maintainer tomorrow. This option has been default in GENERIC for over 7 months, which might be why it's not mentioned. In recent -CURRENT, it's not an option because it's now always compiled into the kernel. -David -- +++ Divide By Cucumber Error. Please Reinstall Universe And Reboot. +++ ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: IP Filter on FreeBSD 5.2.1
On Tue, 7 Sep 2004 22:12:23 +0100, Wayne Pascoe [EMAIL PROTECTED] wrote: On Tue, Sep 07, 2004 at 08:07:34PM +0200, Remko Lodder wrote: I think you missed this option: options PFIL_HOOKS # pfil(9) framework in your kernel config file.. Try it and see it's magic ;) Thanks a bunch - that did the trick. I've checked the doc I used to do this, and it wasn't mentioned. I'll submit something to the maintainer tomorrow. The maintainer is likely to direct you to this entry in 5.2.1's /usr/src/UPDATING: 20030925: Configuring a system to use IPFILTER now requires that PFIL_HOOKS also be explicitly configured. Previously this dependency was magically handled through some cruft in net/pfil.h; but that has been removed. Building a kernel with IPFILTER but not PFIL_HOOKS will fail with obtuse errors in ip_fil.c. (It's a good idea to look in /usr/src/UPDATING before updating your system.) Cheers, Paul. -- e-mail: [EMAIL PROTECTED] Without music to decorate it, time is just a bunch of boring production deadlines or dates by which bills must be paid. --- Frank Vincent Zappa ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
ip filter: already initialized 5.1-RELEASE
hi all i'm trying to get ipfilter set up on my new 5.1-RELEASE box. i think i have everything configured properly my kernel config looks like options IPFILTER options IPFILTER_LOG options IPFILTER_DEFAULT_BLOCK my /etc/rc.conf looks like ipfilter_enable=YES ipfilter_flags= ipfilter_rules=/etc/ipfilter.rules ipmon_enable=YES ipmon_flags=-Dsvn does my setup look ok? or is there additional procedures involved in setting up ipfilter on 5x? thanks redmond pgp0.pgp Description: PGP signature