ipfilter on 6.1
Giorgos Keramidas
keramida at ceid.upatras.gr
Sat Aug 26 22:45:55 UTC 2006
On 2006-08-26 17:10, "J.D. Bronson" <jbronson at wixb.com> wrote:
> At 05:07 PM 8/26/2006, Giorgos Keramidas wrote:
> >Weird. This doesn't seem ot include *ANY* block rules at all.
> >
> >Is this a standard 6.1 installation, or do you have local IP Filter
> >modifications (like, for instance, a modified 'default' rule which
> >blocks everything, instead of allowing everything)?
>
> Yes and no.
>
> I did build a kernel with BLOCK as a default...
> but my IPF rules are pass it all with no specific blocking...
Well, there's your problem then. If you are using a modified kernel
with "block" as the default action for IP Filter, hten you have to
*EXPLICITLY* allow traffic to travese the loopback interface, which you
haven't done.
Your current "ipf.conf" includes:
# Pass LAN traffic to/from bge0
pass in quick on bge0 all keep state keep frags
pass out quick on bge0 all keep state keep frags
# Pass traffic to WAN and keep state
pass out quick on tun0 proto tcp all flags S keep state keep frags
pass out quick on tun0 proto udp all keep state keep frags
pass out quick on tun0 proto icmp all keep state keep frags
Try reverting the local IP Filter changes that modify the default policy
to "block" and use something like this instead:
+ # Block everything by default.
+ block in log from any to any
+ block out log from any to any
+
+ # Allow everything on lo0.
+ pass in quick on lo0 from 127.0.0.1/32 to 127.0.0.1/32
+ pass out quick on lo0 from 127.0.0.1/32 to 127.0.0.1/32
# Pass LAN traffic on bge0 interface.
pass in quick on bge0 all keep state keep frags
pass out quick on bge0 all keep state keep frags
# Pass outgoing traffic to WAN and keep state
pass out quick on tun0 proto tcp all flags S keep state keep frags
pass out quick on tun0 proto udp all keep state keep frags
pass out quick on tun0 proto icmp all keep state keep frags
Please pay particular attention to the rules marked with '+' above.
This may explain why in a previous post you wrote:
On 2006-08-26 15:02, "J.D. Bronson" <jbronson at wixb.com> wrote:
> Clients can use the machine (as a router) and get out perfectly!
> No issues with network performance at all. I am very pleased...until...
>
> I found out that the router itself cant get out 100%.
>
> My ipconfig is basically this:
>
> bge0 - 10.43.82.174
> alias 10.43.82.171 - for bind9 views
> alias 10.43.82.51 - for bind9 views
>
> bge1 - connected to dsl modem
>
> well I cant even telnet from the machine to itself!
> 'destination unreachable'
>
> DNS requests from the server itself (to itself - it runs bind) are
> unanswered yet it is able to fully answer requests from internal or
> external clients...just not itself!
>
> If I use a public DNS server -or- use the IP of the machine I want to
> connect up to, the router is able to get out and uses the correct IP.
You are implicitly blocking all traffic on the lo0 interface (by the
modified default policy to "block" all traffic, and missing an explicit
rule to allow lo0 traffic).
When a system tries to connect to itself, it uses lo0/127.0.0.1 and this
is not possible with your setup.
I hope this helps a bit,
-- Giorgos
More information about the freebsd-questions
mailing list