ipfilter seems to be broken on 7.2-PRERELEASE as of April 25:th
2009.
Jonas Bülow
freebsd at jongel.net
Sat Apr 25 14:34:11 UTC 2009
Hi,
Today I updated one of my servers tracking freebsd 7-stable. (7.2-
PRERELEASE #3: Sat Apr 25 10:01:00 CEST 2009).
After reboot it was not reachable from the network. After some
troubleshooting I found that ipfilter seems to be the problem.
Returning traffic originating from my host (XXX) is blocked:
Apr 25 15:15:23 jongel ipmon[624]: 15:15:23.766972 fxp0 @0:1 b
193.13.15.11,53 -> 10.1.0.254,62539 PR udp len 20 72 IN bad NAT
Apr 25 15:15:23 jongel ipmon[624]: 15:15:23.804447 fxp0 @0:1 b
193.13.15.11,53 -> 10.1.0.254,57266 PR udp len 20 534 IN bad NAT
Comparing the ipfilter-log from before the upgrade, there were no "IN
bad NAT" log entries before the upgrade.
My active ipfilter rules are:
block in log on fxp0 all
pass out quick on fxp0 proto tcp from XXX/32 to any flags S/SAFR keep
state
pass out quick on fxp0 proto udp from XXX/32 to any keep state
pass out quick on fxp0 proto icmp from XXX/32 to any keep state
My NAT rules are:
map fxp0 10.1.0.0/24 -> XXX/32 proxy port ftp ftp/tcp
map fxp0 10.1.0.0/24 -> XXX/32 portmap tcp/udp 1025:65500
map fxp0 10.1.0.0/24 -> XXX/32
Anyone seen this behaviour?
Regards,
Jonas
More information about the freebsd-stable
mailing list