ipfilter on 6.1
Giorgos Keramidas
keramida at ceid.upatras.gr
Sat Aug 26 20:40:52 UTC 2006
On 2006-08-26 15:02, "J.D. Bronson" <jbronson at wixb.com> wrote:
> I got a full load of 6.1p4 installed and all built. I have
> pppoe and ipfilter running almost perfect.
>
> Clients can use the machine (as a router) and get out
> perfectly! No issues with network performance at all. I am
> very pleased...until...
>
> I found out that the router itself cant get out 100%.
>
> My ipconfig is basically this:
>
> bge0 - 10.43.82.174 alias 10.43.82.171 - for bind9 views alias
> 10.43.82.51 - for bind9 views
>
> bge1 - connected to dsl modem
>
> well I cant even telnet from the machine to itself!
> 'destination unreachable'
>
> DNS requests from the server itself (to itself - it runs bind)
> are unanswered yet it is able to fully answer requests from
> internal or external clients...just not itself!
>
> If I use a public DNS server -or- use the IP of the machine I
> want to connect up to, the router is able to get out and uses
> the correct IP.
>
> I used the same configs from solaris on here (ipf.conf and
> ipnat.conf) and only needed to change sppp0 to tun0.
>
> this should take care of anything the machine itself needs:
>
> ============ipf.conf======================
> # Pass LAN traffic to/from bge0
> pass in quick on bge0 all keep state keep frags
> pass out quick on bge0 all keep state keep frags
>
> # Pass traffic to WAN and keep state
> pass out quick on tun0 proto tcp all flags S keep state keep frags
> pass out quick on tun0 proto udp all keep state keep frags
> pass out quick on tun0 proto icmp all keep state keep frags
> ==========================================
>
> I am totally baffled. Its like I am being blocked somehow but
> even with ipfilter WIDE open - traffic still wont pass.
>
> I am wondering if this is some quirk with the interface
> aliases...although running the basic same setup on solaris
> - it works perfectly.
Don't show us the ipf.conf file you are using, but the output of:
% ipfstat -hni
% ipfstat -hno
Then we can really know what rules you have loaded in IP Filter.
More information about the freebsd-questions
mailing list