ipfilter problems

Angelin Lalev lalev at sv-bg.com
Mon Apr 4 05:27:27 PDT 2005


Thank You very much!

> Well, the short answer is: there is no keep state in the line
>
>   pass in quick on rl0 all
>
> the dns reply you get back times out because your default rule is 
> block and there is nowhere in the "in" rules for rl1 that allows the 
> reply back.
>
This makes sense... And I probably have done huge mistake...

I thought that these rules are applied two times - once when the packet 
is about to enter
"routing logic" and once when it exits "routing logic"
the machine and once when the packet exits the machine (like ipfw).
If that was the case the
rule pass out quick on rl1 all keep state
would do...

> Some recomendations:
>
> 1) I have a bit of dificulty understanding your network setup - why do 
> you have two private networks on your external interface? May scetch 
> in a diagram.


rl0 is connected to an internet caffe with some game servers. It has 
only one IP address
192.168.0.0/24.
rl1 is connected via ethernet to a wireless bridge.

The management address of the wireless bridge (provider's property)
is 10.1.6.1.   I added alias addr. 10.1.6.2/24 to the rl1, so I can ping 
it to test connectivity.

Recently we have connected some outer clients to the same ethernet 
network on wich is the wireless bridge. They have addresses 
192.168.5.0/24 and have for gateway the our freebsd machine. They use
squid server on the machine (like the machines on rl0 do) and need 
access to some game servers.




More information about the freebsd-questions mailing list