ipfilter on 6.1
Duane Hill
d.hill at yournetplus.com
Sat Aug 26 23:21:16 UTC 2006
On Saturday, August 26, 2006 at 8:02:10 PM, J.D. confabulated:
> I got a full load of 6.1p4 installed and all built. I have pppoe and
> ipfilter running almost perfect.
> Clients can use the machine (as a router) and get out perfectly!
> No issues with network performance at all. I am very pleased...until...
> I found out that the router itself cant get out 100%.
> My ipconfig is basically this:
> bge0 - 10.43.82.174
> alias 10.43.82.171 - for bind9 views
> alias 10.43.82.51 - for bind9 views
> bge1 - connected to dsl modem
> well I cant even telnet from the machine to itself!
> 'destination unreachable'
> DNS requests from the server itself (to itself - it runs bind) are
> unanswered yet it is able to fully answer requests from internal or
> external clients...just not itself!
> If I use a public DNS server -or- use the IP of the machine I want to
> connect up to, the router is able to get out and uses the correct IP.
> I used the same configs from solaris on here (ipf.conf and ipnat.conf)
> and only needed to change sppp0 to tun0.
> this should take care of anything the machine itself needs:
> ============ipf.conf======================
> # Pass LAN traffic to/from bge0
> pass in quick on bge0 all keep state keep frags
> pass out quick on bge0 all keep state keep frags
> # Pass traffic to WAN and keep state
> pass out quick on tun0 proto tcp all flags S keep state keep frags
> pass out quick on tun0 proto udp all keep state keep frags
> pass out quick on tun0 proto icmp all keep state keep frags
> ==========================================
> I am totally baffled. Its like I am being blocked somehow but even
> with ipfilter WIDE open - traffic still wont pass.
> I am wondering if this is some quirk with the interface
> aliases...although running the basic same setup on solaris - it works
> perfectly.
Did you build the kernel with the 'IPFILTER_DEFAULT_BLOCK'? If so, you
would have to have two allowances at the end for anything else that
didn't match the other rules:
pass in all
pass out all
Being you are using 'quick', the processing stops when a match is
found. If no match is found and you have IPFILTER_DEFAULT_BLOCK
enabled, everything else would be blocked.
I made this mistake when I set IPFilter up the first time and it was
in a colo facility over 800 miles away.
--
"This message was sent using 100% recycled electrons."
More information about the freebsd-questions
mailing list