4.8 ipfilter ruleset compatibility question

John Murphy jfm at blueyonder.co.uk
Sun Apr 6 17:38:42 PDT 2003

Paranoia rules so my outside interface is currently down while I discover
what has changed to cause an ipfilter ruleset which worked fine under
IP Filter: v3.4.20 to be wide open without logging (apparently) with v3.4.31.

I've upgraded from 4.4 to 4.8 release by re-installation and then copying:
/etc/rc.conf and the usual others from the old drive to the new.  Including
the old, previously working, ipf.rules and ipnat.rules.

Everything worked except /var/log/ipf.log remained 0bytes for far too long.
top said ipmon was running.  The /var/log/messages indications of ipf startup
compare favourably:

Apr  1 22:01:42 wall /kernel: IP Filter: v3.4.20 initialized.  Default = pass all, Logging = enabled

Apr  6 22:05:37 wall /kernel: IP Filter: v3.4.31 initialized.  Default = pass all, Logging = enabled

A <cough> GRC scan showed ports scanned as closed, which is ok but ipf.log = 0
and I need "stealth" and logs!

I changed the first rule from:
# Block all incoming packets on the external interface, and log them.
block in log on ed0 all
block in log quick on ed0 all

Now a GRC scan indicates "stealth" and the log file has come alive with the
usual noise.  ipnat still works?

I'm convinced there's no rule which overrides the first and passes everything
without logging, so has something drastically changed to cause this?

Not sure if it's related but I've just tried top again:
wall# top
top: nlist failed


More information about the freebsd-questions mailing list