IPFILTER rule error

fbsd_user fbsd_user at a1poweruser.com
Tue Feb 14 07:36:41 PST 2006

First of all you really need to read the ipfilter section of the
FreeBSD handbook.
The correct solution is exampled in the handbook.
You do not need to compile ipfilter in to the kernel to work.
>From your rules I see no need for that head/group stuff so remove
I see rl0 being assigned to private ip address which means that Nic
is facing your LAN which is behind your gateway box. That ip address
range is not routable on the public internet. You have something
mess up big time.

Your firewall rules is suppose to be on the Nic facing the public
You nat the public ip address to you private LAN ip address.

The reason you have no log records is because your firewall rules
have syntax error and are never loaded. Only rules with log keyword
will generate log records.
Only use rules with quick option. Do not mix quick and non quick
You need pass in rules for you ISP's dns and dhcp servers to access
your box.

Explain in detail your network layout.
Do you have LAN?
How are you connected to the public internet?

Again I strongly recommend you read the ipfilter section of the
handbook your answers are there.

-----Original Message-----
From: owner-freebsd-questions at freebsd.org
[mailto:owner-freebsd-questions at freebsd.org]On Behalf Of Maxim
Sent: Tuesday, February 14, 2006 7:57 PM
To: freebsd-questions at FreeBSD.org
Subject: Re: IPFILTER rule error


Sorry, I really do not want you to guess! Here is what you asked:

kernel conf:
options        IPFILTER
options        IPFILTER_LOG
#options        IPSTEALTH

ifconfig_rl0="inet netmask"

sunrpc          111/tcp    rpcbind      #SUN Remote Procedure Call
sunrpc          111/udp    rpcbind      #SUN Remote Procedure Call

block in log on rl0 all head 20
block out log on rl0 all head 25

pass in quick on rl0 \
  proto tcp/udp from any to any port = sunrpc keep state group 20
pass in quick on rl0 \
  proto tcp/udp from any to any port = 717 keep state group 20
pass out quick on rl0 \
  proto udp from any to any port = 111 keep state group 20

Steps to load the rules:
>ipf -Fa
>ipf -f /etc/ipf.rules
1:ioctl (add/insert rule): No such process

And there is one more problem - despite that I have packet logging
enabled by default (-Ds) through syslogd, log is empty!

security.*      /var/log/security
That file exists and have root rw permissions.

If this help: after I'd moved to 6.0 from 5.4
(backup-format-install-restore), this config stopped to work. I know
that I'm doing something wrong but what exactly?


freebsd-questions at freebsd.org mailing list
To unsubscribe, send any mail to
"freebsd-questions-unsubscribe at freebsd.org"

More information about the freebsd-questions mailing list