IP Filter problems on 4.11-STABLE
Erik Norgaard
norgaard at locolomo.org
Wed Mar 29 10:12:31 UTC 2006
B H wrote:
> Now IPFilter does not work or is VERY slow, ssh, web and mail timesout.
>
> NAT is working like it should.
>
> # dmesg | grep 'IP Filter'
> IP Filter: v3.4.35 initialized. Default = pass all, Logging = enabled
>
> ipf.rules looks like this:
>
> # Let clients behind the firewall send out to the internet, and replies to
> # come back in by keeping state.
> pass out quick on fxp0 proto tcp all keep state
> pass out quick on fxp0 proto udp all keep state
> pass out quick on fxp0 proto icmp all keep state
>
> # Since nothing should be coming from these address ranges, block them
> block in log quick on fxp0 from 82.182.0.0/16 to any
> block in quick on fxp0 from 192.168.0.0/16 to any
> block in quick on fxp0 from 172.16.0.0/12 to any
> block in quick on fxp0 from 10.0.0.0/8 to any
> block in quick on fxp0 from 127.0.0.0/8 to any
> block in quick on fxp0 from 192.0.2.0/24 to any
> block in log quick on fxp0 from any to 10.0.0.0/32
> block in log quick on fxp0 from any to 10.0.0.255/32
1st: the last two rules have no effect at all, packets are caught in the
4th in-rule.
You have nat? are you routing traffic? what is your network config
(ifconfig)? from where to where are you trying to connect, from the box
and out? Have you tried to sniff on the interface to see what traffic is
coming in and going out?
ipfilter not working is good (I mean it is easier to track down), ipfilter
being slow is really difficult to debug.
Erik
--
Ph: +34.666334818 web: www.locolomo.org
S/MIME Certificate: www.daemonsecurity.com/ca/8D03551FFCE04F06.crt
Subject ID: 9E:AA:18:E6:94:7A:91:44:0A:E4:DD:87:73:7F:4E:82:E7:08:9C:72
Fingerprint: 5B:D5:1E:3E:47:E7:EC:1C:4C:C8:3A:19:CC:AE:14:F5:DF:18:0F:B9
More information about the freebsd-questions
mailing list