I've recently upgraded my home firewall from FreeBSD 5.4 (IPfilter v3.4.35) to FreeBSD 6.2-RELEASE (IPfilter v4.1.13) and am now having problems with IPfilter randomly blocking packets on both the internal and external interfaces.
This morning, I had a couple of ssh connections from an internal host to my firewall drop out with the following logged: Feb 17 08:50:00 fwall sshd[13919]: fatal: Write failed: Network is unreachable Feb 17 08:50:00 fwall sshd[13747]: fatal: Write failed: Network is unreachable Feb 17 08:50:01 fwall ipmon[13795]: 08:50:00.888727 fxp1 @20:4 b 192.168.234.1,22 -> 192.168.234.164,51955 PR tcp len 20 468 -AP 457306297 554349920 33304 OUT Feb 17 08:50:01 fwall ipmon[13795]: 08:50:00.904192 fxp1 @20:4 b 192.168.234.1,22 -> 192.168.234.164,51235 PR tcp len 20 180 -AP 1754826132 2941552523 33304 OUT Both connections had been up and exchanging data for a couple of minutes and then died for no obvious reason. I've had similar dropouts on FTP and HTTP transfers. I'm also seeing ntpd report occasional "Network is unreachable" problems on the external interface - which look like the same problem. Can anyone offer any suggestions. My ipf rules follow. fxp0 is the external interface and fxp1 (192.168.234.1/24) is the internal interface. pass out quick on lo0 all block out quick on fxp1 all head 20 pass out quick on fxp1 proto udp from 192.168.234.1/32 to 192.168.234.0/24 port = ntp group 20 pass out quick on fxp1 proto tcp from 192.168.234.1/32 to 192.168.234.0/24 port = ssh flags S/FSRPAU keep state group 20 pass out quick on fxp1 proto tcp from 192.168.234.1/32 to 192.168.234.0/24 port = smtp flags S/FSRPAU keep state group 20 block out log quick all group 20 block out quick on fxp0 all head 21 block out quick on fxp0 from 192.168.0.0/16 to any group 21 block out quick on fxp0 from 172.16.0.0/12 to any group 21 block out quick on fxp0 from 10.0.0.0/8 to any group 21 block out quick on fxp0 from 127.0.0.0/8 to any group 21 block out quick on fxp0 from 0.0.0.0/8 to any group 21 block out quick on fxp0 from 169.254.0.0/16 to any group 21 block out quick on fxp0 from 192.0.2.0/24 to any group 21 block out quick on fxp0 from 204.152.64.0/23 to any group 21 block out quick on fxp0 from 224.0.0.0/3 to any group 21 pass out quick on fxp0 proto tcp from any to any flags S/FSRPAU keep state keep frags group 21 pass out quick on fxp0 proto udp from any to any keep state keep frags group 21 pass out quick on fxp0 proto icmp from any to any keep state group 21 block out log quick all group 21 block out log all pass in quick on lo0 all block in quick on fxp1 all head 10 pass in quick on fxp1 proto tcp from any to any flags S/FSRPAU keep state keep frags group 10 pass in quick on fxp1 proto udp from any to any keep state keep frags group 10 pass in quick on fxp1 proto icmp from any to any keep state keep frags group 10 block in log quick all group 10 block in quick on fxp0 all head 11 block in quick on fxp0 from 192.168.0.0/16 to any group 11 block in quick on fxp0 from 172.16.0.0/12 to any group 11 block in quick on fxp0 from 10.0.0.0/8 to any group 11 block in quick on fxp0 from 127.0.0.0/8 to any group 11 block in quick on fxp0 from 0.0.0.0/8 to any group 11 block in quick on fxp0 from 169.254.0.0/16 to any group 11 block in quick on fxp0 from 192.0.2.0/24 to any group 11 block in quick on fxp0 from 204.152.64.0/23 to any group 11 block in quick on fxp0 from 224.0.0.0/3 to any group 11 block in quick on fxp0 from any to 224.0.0.0/3 group 11 block in quick on fxp0 proto udp from any to any port = netbios-ns group 11 block in quick on fxp0 proto icmp from any to any icmp-type echo group 11 pass in quick on fxp0 proto tcp from any to 192.168.234.124/32 port = ssh flags S/FSRPAU keep state keep frags group 11 pass in quick on fxp0 proto tcp from any to 192.168.234.124/32 port = http flags S/FSRPAU keep state keep frags group 11 block in log quick all group 11 block in log all -- Peter Jeremy
pgpVZ712qt5ib.pgp
Description: PGP signature
