IP Filter problems on 4.11-STABLE

B H bernt at bah.homeip.net
Wed Mar 29 12:07:24 UTC 2006 

Erik Norgaard skrev:
> B H wrote:
> 
>> Now IPFilter does not work or is VERY slow, ssh, web and mail timesout.
>>
>> NAT is working like it should.
>>
>> # dmesg | grep 'IP Filter'
>> IP Filter: v3.4.35 initialized.  Default = pass all, Logging = enabled
>>
>> ipf.rules looks like this:
>>
>> # Let clients behind the firewall send out to the internet, and 
>> replies to
>> # come back in by keeping state.
>> pass out quick on fxp0 proto tcp all keep state
>> pass out quick on fxp0 proto udp all keep state
>> pass out quick on fxp0 proto icmp all keep state
>>
>> # Since nothing should be coming from these address ranges, block them
>> block in log quick on fxp0 from 82.182.0.0/16 to any
>> block in quick on fxp0 from 192.168.0.0/16 to any
>> block in quick on fxp0 from 172.16.0.0/12 to any
>> block in quick on fxp0 from 10.0.0.0/8 to any
>> block in quick on fxp0 from 127.0.0.0/8 to any
>> block in quick on fxp0 from 192.0.2.0/24 to any
>> block in log quick on fxp0 from any to 10.0.0.0/32
>> block in log quick on fxp0 from any to 10.0.0.255/32
> 
> 
> 1st: the last two rules have no effect at all, packets are caught in the 
> 4th in-rule.

Yes, I see that now.

> You have nat? 

Yes, and it's working.

> are you routing traffic? 

Yes.

> what is your network config (ifconfig)? 

# ifconfig
rl0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
         inet 10.0.0.1 netmask 0xff000000 broadcast 10.255.255.255
         inet6 fe80::210:a7ff:fe0e:2ad9%rl0 prefixlen 64 scopeid 0x1
         ether 00:10:a7:0e:2a:d9
         media: Ethernet autoselect (100baseTX <full-duplex>)
         status: active
fxp0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
         inet 1.2.3.4 netmask 0xffffff00 broadcast 1.2.3.255
         inet6 fe80::230:6eff:fe06:6990%fxp0 prefixlen 64 scopeid 0x2
         ether 00:30:6e:06:69:90
         media: Ethernet autoselect (100baseTX <full-duplex>)
         status: active
lp0: flags=8810<POINTOPOINT,SIMPLEX,MULTICAST> mtu 1500
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
         inet6 ::1 prefixlen 128
         inet6 fe80::1%lo0 prefixlen 64 scopeid 0x4
         inet 127.0.0.1 netmask 0xff000000
ppp0: flags=8010<POINTOPOINT,MULTICAST> mtu 1500
sl0: flags=c010<POINTOPOINT,LINK2,MULTICAST> mtu 552
faith0: flags=8002<BROADCAST,MULTICAST> mtu 1500

> from where to where are you trying to connect,

 From the outside and in.

> Have you tried to sniff on the interface to see what traffic is 
> coming in and going out?

No.

> ipfilter not working is good (I mean it is easier to track down), 
> ipfilter being slow is really difficult to debug.
> 
> Erik

BH

More information about the freebsd-questions mailing list