Ipfilter strangeness on FreeBSD 6
David W. Chapman Jr.
dwcjr at aexeous.net
Thu Feb 9 07:27:14 PST 2006
I've installed Freebsd 6.0-RELEASE and had some ipfilter bugs on a
machine. It appears that after 3-4 hours ipfilter ignores all group
rules. When I run ipfstat -ih I can see the packets coming in and
hitting the specific rules but it seems to block them anyway.
By group rules I mean I'm doing something like this
block in on dc0 all head 100
block out on dc0 all head 150
block in on xl0 all head 200
block out on xl0 all head 250
and have respective group rules under each group.
I switched out the nic on the public interface as I thought it was that
originally. I currently have this cron job in place to alleviate the
problem temporarily
0 * * * * /sbin/ipf -D;/sbin/ipf -E;/sbin/ipf -FS -Fa -f
/etc/ipf.rules;/sbin/ipnat -FCf /etc/ipnat.rules
I cvsuped to the latest version
FreeBSD fbsd.abghouston.com 6.1-PRERELEASE FreeBSD 6.1-PRERELEASE #7:
Tue Feb 7 17:34:35 UTC 2006
whatever at whatever.com:/usr/obj/usr/src/sys/FIREWALL i386
the problem still seems to persist.
tcpdump appears to lock up if there are packets on the dc0
interface(which is the public interface). The problem completely goes
away when I disable ipfilter.
Does anyone have any hints/clues/ideas?
###########################################
This message has been scanned by HyBlue Secure.
For more information, connect to http://www.HyBlue.com/
More information about the freebsd-stable
mailing list