4.8 ipfilter ruleset compatibility question
John Murphy
jfm at blueyonder.co.uk
Sun Apr 6 17:38:42 PDT 2003
Paranoia rules so my outside interface is currently down while I discover
what has changed to cause an ipfilter ruleset which worked fine under
IP Filter: v3.4.20 to be wide open without logging (apparently) with v3.4.31.
I've upgraded from 4.4 to 4.8 release by re-installation and then copying:
/etc/rc.conf and the usual others from the old drive to the new. Including
the old, previously working, ipf.rules and ipnat.rules.
Everything worked except /var/log/ipf.log remained 0bytes for far too long.
top said ipmon was running. The /var/log/messages indications of ipf startup
compare favourably:
Apr 1 22:01:42 wall /kernel: IP Filter: v3.4.20 initialized. Default = pass all, Logging = enabled
Apr 6 22:05:37 wall /kernel: IP Filter: v3.4.31 initialized. Default = pass all, Logging = enabled
A <cough> GRC scan showed ports scanned as closed, which is ok but ipf.log = 0
and I need "stealth" and logs!
I changed the first rule from:
# Block all incoming packets on the external interface, and log them.
block in log on ed0 all
to
block in log quick on ed0 all
Now a GRC scan indicates "stealth" and the log file has come alive with the
usual noise. ipnat still works?
I'm convinced there's no rule which overrides the first and passes everything
without logging, so has something drastically changed to cause this?
Not sure if it's related but I've just tried top again:
wall# top
top: nlist failed
John.
More information about the freebsd-questions
mailing list