> 
>> Nicholas wrote:
>> 
>> I am currently running a couple of 6.1 and 5.4 servers as firewall /
>> routers for my company.  I am experiencing some problems on the 6.1
>> server with ipfilter where it blocks oow (out of window) packets.  I
>> have tried to update to the latest version of ipfilter but was
>> unable to
>> compile my kernel after running the kupgrade script in the ipf
>> source
>> folder.  Does anyone have any hacks / patches that they have used to
>> get
>> ipfilter version 4.1.13 running on FreeBSD 6.1-Release?
>>
>> Regards,
>> Nicholas
>
> Fbsd wrote:
>
> 
> I run 6.1 with ipfilter and LAN full of window boxes  NO PROBLEM.
> 
> You need to provide a much greater level of details before making
> such unfounded statements as ipfilter is broken.

I never said that ipfilter was in any way broken, just that I was
experiencing problems running it since moving to a 6.1 server.  My
apologies for not making myself clearer.

> Your rule set is most likely incorrect.
> 
> Post description of your firewall/LAN setup along with your complete
> rule set for review by list.

Very well, here is some more information but I am not about to post my
entire ruleset on a publicly searchable mailing list

Extract from ipfstat -ni

@2 block in quick on em0 all head 1
...
@9 pass in quick on em0 proto tcp from 196.31.10.14/32 to any port =
http flags S/FSRPAU keep state group 1 
...
@19 block in log quick on em0 all group 1

Ipmon output

08/06/2006 14:23:01.652653 STATE:NEW 165.165.192.80,53269 ->
196.7.156.157,80 PR tcp
...
08/06/2006 14:23:31.221693 em0 @1:20 b 165.165.192.80,53269 ->
196.7.156.157,80 PR tcp len 20 64 -S IN OOW
08/06/2006 14:23:31.674548 STATE:NEW 165.165.192.80,50949 ->
196.7.156.157,80 PR tcp
08/06/2006 14:23:32.915562 STATE:NEW 165.165.192.80,53465 ->
196.7.156.157,80 PR tcp
08/06/2006 14:23:34.219658 em0 @1:20 b 165.165.192.80,53269 ->
196.7.156.157,80 PR tcp len 20 64 -S IN OOW

The 165.x.x.x IP address is from an ADSL line I was using to
troubleshoot the problem (I was the only person using the line so it
made tcpdumps etc easier to read, less noise).

In our environment the problem was easily resolved by disabling SACKS on
the Windows 2003 servers behind my firewall (something I have just
finished testing).  But I would still like someone to please point me in
the right direction insofar as updating IPFilter to 4.1.13 under FreeBSD
6.1 as this solution is not to my liking.

Regards,
Nicholas




_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Reply via email to