Jason Chambers wrote:
Hello all,
Wondering if anyone else can reproduce this ?
The kernel I have compiled includes VIMAGE with SCTP disabled. Might be
a contributing factor. Additionally, there's a problem with the em
interface.. see em interface slow down on 8.0R.
To reproduce, have IPF
Hello all,
Wondering if anyone else can reproduce this ?
The kernel I have compiled includes VIMAGE with SCTP disabled. Might be
a contributing factor. Additionally, there's a problem with the em
interface.. see em interface slow down on 8.0R.
To reproduce, have IPF start at boot or kldload
Hugo Koji Kobayashi wrote:
Hello,
While making some tests with fragmented udp DNS responses (with
EDNS0), we discovered a possible problem with ipf and pf in FreeBSD
6.2 and 7.0 (200705 snapshot).
Our test is a DNS query to an DNSSEC enabled server which replies with
a ~4KB udp response. We do
Ok. I understand that, but in FreeBSD 4.11 it works and without the
keep frags the query is blocked. Is it just a misbehaviour of
an old ipf version?
And there is also the different behaviour of pf under OpenBSD. As I
understand, the scrub rule should reassemble the fragments and pass
Hello,
While making some tests with fragmented udp DNS responses (with
EDNS0), we discovered a possible problem with ipf and pf in FreeBSD
6.2 and 7.0 (200705 snapshot).
Our test is a DNS query to an DNSSEC enabled server which replies with
a ~4KB udp response. We do this with the following dig
This should be rejected as keep frags is meaningless here.
pass out log quick on bge0 proto udp from xxx.xxx.xxx.113/32 to any port = 53
keep state keep frags
You need
pass in quick from any to any with frag keep frag
--
Mark Andrews, ISC
1 Seymour St.,
This should be rejected as keep frags is meaningless here.
pass out log quick on bge0 proto udp from xxx.xxx.xxx.113/32 to any port = 53
keep state keep frags
You need
pass in quick from any to any with frag keep frag
The reason is that ip fragments
|
tun0
|
|-|
| FreeBSD |
|-|
/ \
xl0 xl1
/ \
LAN DMZ
192.168.0.0/24 DMZ_BLOCK/29
I often experience in my ipf logs such packet drops (the following example
Hello,
Yesterday, when I looking for solution that can replace following command from
linux:
ip route add default via x.x.x.x src y.y.y.y
So I tried with ipf and execute following rule, (yes this is silly):
--
pass out quick on rl0 to rl0:y.y.y.y from x.x.x.x to any keep state
--
On rl0 I
\--Vonage Linksys RT31P2
I've tried various nap rules and ipf filter settings.. here are the
current mappings and setup.. the kernel is GENERIC w/ the debuggong
stuff put in it.
IPNAT RULES
map vr0 10.69.0.0/24 - 0/32
necessary.
I use ipfw with my Vonage service, but there's nothing special that I do
for NAT. I don't do ipf..
Louis Mamakos
Vladimir Botka wrote:
Hello,
if your Vonage linksys RT31P2 talks H323 try /usr/ports/net/gatekeeper
in proxy mode.
Cheers,
Vladimir Botka
On Sun, 12 Jun 2005
I can reproduce this very easily.. I pick up my phone and make a call
Current Setup
Cable Modem---FreeBSD 5.4 Stable---HUB--Machines
\--Vonage Linksys RT31P2
I've tried various nap rules and ipf filter settings.. here are the
current mappings
Hi Damon,
Am 12.06.2005 um 23:02 schrieb Damon Hopkins:
Tracing pid 27 tid 100021 td 0xc15a4180
mcopydata(c17fa400,0,38,c193abc0,0) at m_copydata+0x28
ipllog(0,d3d46bc8,d3d46b50,d3d46b48,d3d46b40) at ipllog+0x1f1
ipflog(105819,c17fa450,d3d46bc8,c17fa400,0) at ipflog+0x18f
It looks like ipf in not handling fragmented UDP respones
correctly. Is there anything in particular that I need to
say to ipf to make it process the fragments? Unfragemented
responses make it through the firewall. It appears to be
independent
;
fra-ipfr_prev = ipfr_ipidtail;
ipfr_ipidtail = fra-ipfr_next;
@@ -576,7 +583,7 @@
READ_ENTER(ipf_ipidfrag);
ipf = fr_fraglookup(fin, ipfr_ipidtab);
if (ipf != NULL)
- id = (u_32_t)ipf-ipfr_data;
+ id = (u_32_t
Hi
I`ve tried to import IPF 4.1.8 into freebsd-stable (5.4). It's first time I
tried something similar. Problem is, that the kernel fails to compile (it
needs somewhere 3 parameters, but gets only 2... or what). I followed the
readme for freebsd-5. Any help ?
Jan Sebosik
IPF in 4.11, 4-Stable breaks the semantics of icmp
keep-state rules. This problem was mentioned in
http://msgs.securepoint.com/cgi-bin/get/ipfilter-0503/31/1/2/1/1.html
I wouldn't make a fuss over this simple matter
except that this constitutes a POLA violation.
To that end, the following pr
There's your problem: your userland is out of sync with your kernel.
Just rebuild your system (i.e. kernel AND userland) to get rid of the
problem.
I don't think that's the case here. I'm using a recent 4-stable and I'm
seeing the same:
ipf: IP Filter: v3.4.31 (336)
Kernel: IP Filter: v3.4.35
On 2004-11-05 at 19:12:17 Derkjan de Haan wrote:
I don't think that's the case here. I'm using a recent 4-stable and I'm
seeing the same:
ipf: IP Filter: v3.4.31 (336)
Kernel: IP Filter: v3.4.35
Hm, now that you said this, I was reminded of the following threads:
http://lists.freebsd.org
- Original Message -
From: Dimitry Andric [EMAIL PROTECTED]
To: Derkjan de Haan [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Sent: Friday, November 05, 2004 8:54 PM
Subject: Re: ipf
I can't seem to find any PR matching this problem, however...
I have just filed my first PR. Let's see how
On Fri, Nov 05, 2004 at 09:30:33PM +0100, Derkjan de Haan wrote:
I can't seem to find any PR matching this problem, however...
I have just filed my first PR. Let's see how it goes.
Duplicates PR 70492.
--
Pawe Maachowski
___
[EMAIL PROTECTED]
-BEGIN PGP SIGNED MESSAGE-
Hash: MD5
Hi FreeBSDers ;
i have a few questions regarding ipf,
i,ve been searching through the web but still didnt find
the answer for my problem(s).
my problems are when i run ipfstat -t the source and destination ips
are all zero.
and when i look the version
On 2004-11-05 at 02:29:34 zen wrote:
my problems are when i run ipfstat -t the source and destination ips
are all zero.
==snip==
ipf: IP Filter: v3.4.31 (336)
Kernel: IP Filter: v3.4.35
There's your problem: your userland is out of sync with your kernel.
Just rebuild your system (i.e. kernel
packets are special and are not usually firewalled. I could be
mistaken, but I don't think you can get ipf to filter bridged packets
in 4.9. You could use ipfw2 to do it though:
sysctl net.link.ether.bridge_ipfw=1
ipfw add deny layer2 mac-type ipv6 recv tun1
Thank you, this seems
firewalled. I could be
mistaken, but I don't think you can get ipf to filter bridged packets
in 4.9. You could use ipfw2 to do it though:
sysctl net.link.ether.bridge_ipfw=1
ipfw add deny layer2 mac-type ipv6 recv tun1
(You'll need to turn on ipfw2 to do this - see the ipfw man page
firewalled. I could be
mistaken, but I don't think you can get ipf to filter bridged packets
in 4.9. You could use ipfw2 to do it though:
sysctl net.link.ether.bridge_ipfw=1
ipfw add deny layer2 mac-type ipv6 recv tun1
(You'll need to turn on ipfw2 to do this - see the ipfw man page
of the above mentioned
FAQ.
regards
Claus
Har du problemer med din hjemmecomputer? F? hj?lp med Yahoo!s PC-support
p? http://dk.shopping.yahoo.com/pcsupport/index.html
OTOH if you only need ipnat and not ipfilter you can do this...
Don't compile in ipf. Turn on ipnat in rc.conf
telling them to log in. I have actually reworked my ipfw
rules so I dont need ipf anymore and its all working. :)
This thread can be dropped unless you all want to discuss the ordering
more. IMHO Christ is right.
Who's arguing?
Your original query was not specific enough.
Mabey.
My
, how does IPF determine how long to leave an entry
in the state table for? Is it based on the TTL of a packet finalizing
the close of the connection?
TIA
--
Ben Lovett [EMAIL PROTECTED
with it. I
retract that statement.
But, does anyone have any insight as to why it disappears from view
until ipmon reports that it has been closed? (I can't see it in the
ipfstat -t output)
connection is closed, how does IPF determine how long to leave an entry
in the state table
dear listmembers,
i would need some help on ipf
problem:
ipf firewall with ipnat won't allow to login on itself and won't allow
outgoing traffic from itself.
form the intranet (192.168.0..0/8) to the internet all works as i
wanted.
my ipf.rules is:
# i have read this should be better
After cvsup'ing last night, and build, install, world, merging /etc, I found
that at bootup that ipf was not starting. The error message was very
difficult to see but it looked like somewhere
fopen was not able to open ipf. So as a quick fix I put my ipf -Fa -f
/etc/ipf.rules into
rc.local
You can edit /etc/rc.network and move the entire user ppp section of the
script right before the ipf section. Then ipf -y'ing won't be
necessary. It worked for me for several months - after editing
rc.network I just rebooted and from then on I didn't have to manually do
anything with ipf
* Mike Harding [EMAIL PROTECTED] [010325 20:06]:
You can specify interfaces by name in your rules - but you have to
issue 'ipf -y' to sync up with interface address changes. I've done
this with a dial-up line by putting 'ipf -y' in /etc/rc.network at the
end of pass 1. This file should
It will work, you just won't have a working firewall. I filed a PR
about this after discovering that ipf wasn't filtering _any_ packets
coming in. Yech. If you have a static address it may not be an
issue. I use dial-on-demand as well, but with a dynamic address.
- Mike H.
Date: Mon, 26
Afternoon people, just wondered if anyone was using ipf
with 6-to-4 tunneling (a la freenet6.net)?
I'm on a dialup (using gifconfig to build a tunnel through tun0),
so there are no IPs mentioned in the ruleset, apart from
the usual RFC1918 suspects.
If I ping6 outbound to www.normos.org
Rasputin wrote:
Afternoon people, just wondered if anyone was using ipf
with 6-to-4 tunneling (a la freenet6.net)?
freenet6.net does not provide 6to4 tunneling. 6to4 tunelling uses the
stf(4) interface and not the gif(4) one.
Maxime
--
Don't be fooled by cheap finnish imitations ; BSD
Ipfw and ipf to my eye (without glasses that is) seem to do pretty much the same
thing. The same is true for ipnat and natd. Of course there are differences
between the two (ritgh?).
How do you map with a single rule a pool of private addresses into a pool of
real addresses with natd
2001 1:23 AM
Subject: Re: ipnat vs natd and ipf vs ipfw (fwd)
On Sat, Jan 27, 2001 at 19:20 -0500, Espen Oyslebo wrote:
Ipfw and ipf to my eye (without glasses that is) seem to do
pretty much the same thing. The same is true for ipnat and
natd. Of course there are differences betwe
On Sun, Oct 08, 2000 at 08:51:29PM -0700, matthew zeier wrote:
I tried to apply
http://www.swcp.com/~synk/ipfmerge.patch
on 4.1.1 release.
# cd /etc
# patch /tmp/ipfmerge.patch
But got a lot of failed hunks. I don't know anything about patch - is
my syntax correct?
Sorry
matthew zeier writes:
Can anyone tell me the differences between ipf and ipfw ? Which is
"better" ?
I've used both ipfilter and ipfw and found them both to be usable. I'm
currently using ipfilter on both FreeBSD and Solaris 2.6. Ipfilter rule
groups are a good idea but could be
I have used ipfw because when I started ipfilter was only in the ports.
I have tried several times to use ipfilter but have been unable to
figure out how. The rules for ipfw are fairly simple and are processed
in order. It is easy for me to understand, write and debug them, bit
plus.
I
Can anyone tell me the differences between ipf and ipfw ? Which is
"better" ?
- mz
--
matthew zeier - "There ain't no rules around here. We're trying to
accomplish something." - Thomas Edison
To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe fr
43 matches
Mail list logo