Erik Norgaard skrev:
B H wrote:

Now IPFilter does not work or is VERY slow, ssh, web and mail timesout.

NAT is working like it should.

# dmesg | grep 'IP Filter'
IP Filter: v3.4.35 initialized.  Default = pass all, Logging = enabled

ipf.rules looks like this:

# Let clients behind the firewall send out to the internet, and replies to
# come back in by keeping state.
pass out quick on fxp0 proto tcp all keep state
pass out quick on fxp0 proto udp all keep state
pass out quick on fxp0 proto icmp all keep state

# Since nothing should be coming from these address ranges, block them
block in log quick on fxp0 from 82.182.0.0/16 to any
block in quick on fxp0 from 192.168.0.0/16 to any
block in quick on fxp0 from 172.16.0.0/12 to any
block in quick on fxp0 from 10.0.0.0/8 to any
block in quick on fxp0 from 127.0.0.0/8 to any
block in quick on fxp0 from 192.0.2.0/24 to any
block in log quick on fxp0 from any to 10.0.0.0/32
block in log quick on fxp0 from any to 10.0.0.255/32


1st: the last two rules have no effect at all, packets are caught in the 4th in-rule.

Yes, I see that now.

You have nat?

Yes, and it's working.

are you routing traffic?

Yes.

what is your network config (ifconfig)?

# ifconfig
rl0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        inet 10.0.0.1 netmask 0xff000000 broadcast 10.255.255.255
        inet6 fe80::210:a7ff:fe0e:2ad9%rl0 prefixlen 64 scopeid 0x1
        ether 00:10:a7:0e:2a:d9
        media: Ethernet autoselect (100baseTX <full-duplex>)
        status: active
fxp0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        inet 1.2.3.4 netmask 0xffffff00 broadcast 1.2.3.255
        inet6 fe80::230:6eff:fe06:6990%fxp0 prefixlen 64 scopeid 0x2
        ether 00:30:6e:06:69:90
        media: Ethernet autoselect (100baseTX <full-duplex>)
        status: active
lp0: flags=8810<POINTOPOINT,SIMPLEX,MULTICAST> mtu 1500
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
        inet6 ::1 prefixlen 128
        inet6 fe80::1%lo0 prefixlen 64 scopeid 0x4
        inet 127.0.0.1 netmask 0xff000000
ppp0: flags=8010<POINTOPOINT,MULTICAST> mtu 1500
sl0: flags=c010<POINTOPOINT,LINK2,MULTICAST> mtu 552
faith0: flags=8002<BROADCAST,MULTICAST> mtu 1500

from where to where are you trying to connect,

From the outside and in.

Have you tried to sniff on the interface to see what traffic is coming in and going out?

No.

ipfilter not working is good (I mean it is easier to track down), ipfilter being slow is really difficult to debug.

Erik

BH
_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Reply via email to