On Mon, May 11, 2009 at 01:07:46PM -0700, Jason Chambers wrote:
> Jonas B?low wrote:
> >
> > After reboot it was not reachable from the network. After some
> > troubleshooting I found that ipfilter seems to be the problem. Returning
> > traffic originating from my host (XXX) is blocked:
> >
> (..
Jonas Bülow wrote:
>
> After reboot it was not reachable from the network. After some
> troubleshooting I found that ipfilter seems to be the problem. Returning
> traffic originating from my host (XXX) is blocked:
>
(... snip ...)
>
> Anyone seen this behaviour?
>
Yes. This appears to have ma
On Wed, 11 Jul 2007 09:42:22 -0400, Stephen Clark wrote
> viper wrote:
>
> >On Tue, 10 Jul 2007 15:59:46 -0400, Stephen Clark wrote
> >
> >
> >>Hello List,
> >>
> >>I posted a while ago that our testers of our network appliance were
> >>complaining
> >>that browsing was slower when using our ap
viper wrote:
On Tue, 10 Jul 2007 15:59:46 -0400, Stephen Clark wrote
Hello List,
I posted a while ago that our testers of our network appliance were
complaining
that browsing was slower when using our appliance based on 6.x as
compared to
our appliance using 4.9 FreeBSD.
Well it turns o
On Sat, 30 Sep 2006 20:30:28 -0400
Matt Herzog <[EMAIL PROTECTED]> wrote:
> As the Subject states, I'm trying to get a FreeBSD 6.1 on sparc64 to be a
> firewall/gateway/nat machine using a IPFILTER_DEFAULT_BLOCK kernel.
> (hme0 is the external NIC. hme1 is the internal NIC.)
>
> If I remove the l
Darren,
On Sun, Feb 26, 2006 at 12:16:05PM +, Darren Reed wrote:
D> > Root of the problem is inside ipfilter - if driver use 'partial' (i.e.
without
D> > pseudo header) rx checksum offloading ipfilter fails to calculate checksum
D> > correctly (it's using ip packet length (ip_fil_freebsd.c:
On Tue, Jan 31, 2006 at 12:09:13PM +0300, Oleg Bulyzhin wrote:
> > > Btw, until recent changes bge had txcsum (not rxcsum) only.
> > >
> > > As i can see there is no problem with checksum's at all (at least inside
> > > bge driver). tcpdump reports bad checksum on outgoing packets due to
> > > nat
On Thu, Feb 02, 2006 at 11:23:10AM +0100, Koen Martens wrote:
> David Wilhelm wrote:
> > On Tue, Jan 31, 2006 at 12:09:13PM +0300, Oleg Bulyzhin wrote:
> >
> >>Could you please test attached patch?
> >
> >
> >>This patch enables 'full' rxcsum offloading so ipfilter's bug should not be
> >>trigge
David Wilhelm wrote:
> On Tue, Jan 31, 2006 at 12:09:13PM +0300, Oleg Bulyzhin wrote:
>
>>Could you please test attached patch?
>
>
>>This patch enables 'full' rxcsum offloading so ipfilter's bug should not be
>>triggered.
>
>
> FYI, the patch works for me; the checksum errors still show in tc
On Tue, Jan 31, 2006 at 12:09:13PM +0300, Oleg Bulyzhin wrote:
> Could you please test attached patch?
> This patch enables 'full' rxcsum offloading so ipfilter's bug should not be
> triggered.
FYI, the patch works for me; the checksum errors still show in tcpdump,
but ipfilter doesn't choke on t
On Sun, Jan 29, 2006 at 03:01:12PM +0100, Koen Martens wrote:
> Oleg Bulyzhin wrote:
> > On Sat, Jan 28, 2006 at 11:16:31PM +0100, Koen Martens wrote:
> >>Sure thing, although it happens with other kinds of traffic too (in
> >>the dump, there's some NTP for example). Here's the netstat output
> >>b
Oleg Bulyzhin wrote:
> On Sat, Jan 28, 2006 at 11:16:31PM +0100, Koen Martens wrote:
>>Sure thing, although it happens with other kinds of traffic too (in
>>the dump, there's some NTP for example). Here's the netstat output
>>before:
>
>
> Btw, until recent changes bge had txcsum (not rxcsum)
On Sat, 2006-Jan-28 16:32:54 +0100, Koen Martens wrote:
>Yesterday night, i was going to send the message below. However,
>just before pressing send, i found a solution to the problem:
>disable checksum checks (ifconfig bge0 -rxcsum -txcsum). Though this
>is a solution, it has me puzzled. Is this a
On Sat, Jan 28, 2006 at 11:16:31PM +0100, Koen Martens wrote:
> Oleg Bulyzhin wrote:
> > Could you please run 'tcpdump -nvi bge0' while you are generating
> > dns traffic (having bge0 checksum offloading on)?
> >
> > 'netstat -sp udp' output might be helpful too.
>
> Sure thing, although it happe
Oleg Bulyzhin wrote:
> Could you please run 'tcpdump -nvi bge0' while you are generating
> dns traffic (having bge0 checksum offloading on)?
>
> 'netstat -sp udp' output might be helpful too.
Sure thing, although it happens with other kinds of traffic too (in
the dump, there's some NTP for exampl
On Sat, Jan 28, 2006 at 04:32:54PM +0100, Koen Martens wrote:
> Hi All,
>
> Yesterday night, i was going to send the message below. However,
> just before pressing send, i found a solution to the problem:
> disable checksum checks (ifconfig bge0 -rxcsum -txcsum). Though this
> is a solution, it ha
Koen Martens wrote:
[ ... ]
> With 5.4, there was only the rxcsum option for the bge card, not a
> txcsum. It worked fine with rxcsum enabled on 5.4..
>
> What are the consequences of disabling {rx,tx}csum? What is wrong
> with enabling it on 6-STABLE?
The consequence is your CPU has to spend the
On Friday 23 December 2005 14:51, Koen Martens wrote:
> Melvyn Sopacua wrote:
> >On Friday 23 December 2005 11:12, Koen Martens wrote:
> >>Just a smallish issue with ipfilter and upgrading from 5.4 to 6-STABLE.
> >>The ipfilter implementation in the 6-STABLE kernel errs on the commands
> >>sent by
Melvyn Sopacua wrote:
On Friday 23 December 2005 11:12, Koen Martens wrote:
Just a smallish issue with ipfilter and upgrading from 5.4 to 6-STABLE.
The ipfilter implementation in the 6-STABLE kernel errs on the commands
sent by the 5.4 ipf binary. This can be an issue when you are upgrading
On Friday 23 December 2005 11:12, Koen Martens wrote:
> Just a smallish issue with ipfilter and upgrading from 5.4 to 6-STABLE.
> The ipfilter implementation in the 6-STABLE kernel errs on the commands
> sent by the 5.4 ipf binary. This can be an issue when you are upgrading
> remotely without ser
On Jan 22 at 17:55, Barry Pederson spoke:
> Brooks Davis wrote:
>
> >You missed the line four lines below options IPFILTER:
> >
> >options PFIL_HOOKS #required by IPFILTER
>
> Can we put PFIL_HOOKS in the GENERIC kernel config, so a person doesn't
> have to recompile the ker
Brooks Davis wrote:
On Fri, Jan 23, 2004 at 12:13:16AM +0100, Hanspeter Roth wrote:
Hello,
I'm trying to configure IPFILTER in 5.2-Release. But the compilation
failes:
cc -c -O -pipe -mcpu=pentiumpro -Wall -Wredundant-decls -Wnested-externs
-Wstrict-prototypes -Wmissing-prototypes -Wpointer-ar
On Tue, Dec 17, 2002 at 04:59:37PM -0600, Craig Boston wrote:
> On Tue, 2002-12-17 at 13:02, Clifton Royston wrote:
> > ipf does have the ability to more correctly simulate a closed port.
> > I did a similar exercise on my personal OpenBSD firewall box earlier
> > this year; I won't go through
On Tue, 2002-12-17 at 13:02, Clifton Royston wrote:
> ipf does have the ability to more correctly simulate a closed port.
> I did a similar exercise on my personal OpenBSD firewall box earlier
> this year; I won't go through your whole ruleset, but basically for
> every TCP port you block, you
(This probably belonged on -security or -questions or someplace
else...)
> Date: Mon, 16 Dec 2002 13:55:48 -0500
> From: "Robin P. Blanchard" <[EMAIL PROTECTED]>
> Subject: ipfilter / ipnat quandry
>
> - -STABLE (FreeBSD 4.7-STABLE #0: Mon Nov 25 14:22:58 EST 2002)
> gateway/firewall running:
Jens Rehsack([EMAIL PROTECTED])@2002.05.06 15:04:14 +:
> "Karsten W. Rohrbach" wrote:
> > pass in quick on isp0 proto tcp from any to any port = 80 flags S/SA keep state
> > # we want state added when establishing a
> > # session, not for every t
Jens Rehsack([EMAIL PROTECTED])@2002.05.06 00:46:58 +:
> "Karsten W. Rohrbach" wrote:
> >
> > Michael Riexinger([EMAIL PROTECTED])@2002.05.05 15:32:04 +:
> > > On Sun May 5 15:23:14 2002, Karsten W. Rohrbach wrote:
> > > > the problem can only be analyzed efficiently if you show us the r
"Karsten W. Rohrbach" wrote:
>
> Michael Riexinger([EMAIL PROTECTED])@2002.05.05 15:32:04 +:
> > On Sun May 5 15:23:14 2002, Karsten W. Rohrbach wrote:
> > > the problem can only be analyzed efficiently if you show us the rest of
> > > the ruleset. anything else is pure guesswork, based on a
[This belongs on -questions, I've cced]
On Thursday 04 October 2001 08:31, Robin P. Blanchard wrote:
> every now and then in my ipflog i see that ipfilter has blocked packets
> from the internet destined for machines on my internal network:
>
> 01/10/2001 19:30:54.722906 3x dc0 @0:23 b 207.68.131
All rules like this:
pass out quick on * proto tcp from any to any keep state
should have a "flags S" in them.
Darren
To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-stable" in the body of the message
On Sun, Aug 05, 2001 at 03:11:46PM -0400, Normand Leclerc wrote:
: When I run ipf -Fa -v -f /etc/ipf.rules, I get this output:
: [pass in all]
: pass in from any to any
: 1:ioctl(add/insert rule): No such process
: [pass out all]
: pass out from any to any
: 2:ioctl(add/insert rule): No such proce
--- Normand Leclerc <[EMAIL PROTECTED]> wrote:
> I unfortunately did a cvsupdate so I'm running on 4.4-pre. Ipf is
> v3.4.16 and kernel seems to be v3.4.20 ... Of course I should be
> upgrading ipf but unfortunately, cvsup for src-sbin gives a Makefile
> and
> an empty dir in ipf directory
Eric Veraart [mailto:[EMAIL PROTECTED]]
Sent: Sunday, August 05, 2001 5:34 PM
To: Normand Leclerc
Cc: [EMAIL PROTECTED]
Subject: Re: IPFilter, no such process?
Which version are you running?
Normand Leclerc wrote:
>
> Hi Eric,
>
> Sorry about the HTML, I thought I removed it from
Eric
After cvsup'ing to the prerelease version, I had
exactly the same problem. I also couldn't
contact that box by anything other than at the
console. I mucked around a bit with the configuration
and in absolute desperation even resorted to reading
UPDATING.
For me, the problem was not having m
ECTED]
> [mailto:[EMAIL PROTECTED]] On Behalf Of Eric Veraart
> Sent: Sunday, August 05, 2001 4:44 PM
> To: Normand Leclerc; [EMAIL PROTECTED]
> Subject: Re: IPFilter, no such process?
>
> First of all, please don't mail in HTML format. It makes replying kind
> of hard
Leclerc; [EMAIL PROTECTED]
Subject: Re: IPFilter, no such process?
First of all, please don't mail in HTML format. It makes replying kind
of hard for me.
As what user are you logged in?
Greetings,
Eric
To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-stable&qu
* Andrew Boothman <[EMAIL PROTECTED]> [010713 00:09]:
> Replying to my own message, the subject of this message should have course
>
> have been "_ipfilter_ Module Breakage".
>
> > ===> ipfilter
Search the archives of this mailing list, about a month ago.
ipf moved oin the base system and borke
Brian Behlendorf([EMAIL PROTECTED])@2001.06.06 22:21:29 +:
> On Wed, 6 Jun 2001, Gordon Tetlow wrote:
> > I removed Darren from the CC list as I don't think he really needs to be
> > in on this discussion
> >
> > On Mon, 4 Jun 2001, Thomas T. Veldhouse wrote:
> >
> > > While meaning no dis
In message <3A743E72.3727.1396DB@localhost>, "Bruno Miguel" writes:
> > Cy Schubert - ITSD Open Systems Group wrote:
> >
> > > You're probably better of installing IPF 3.4.16. There have been many
> > > bugfixes and improvements since 3.4.8 (version of IPF packaged with
> > > FreeBSD-STABLE).
>
Very interesting. I came across that ftp problem, and was considering upping
to 3.4.16, but I didn't want to go through the rebuilding of ipfilter everytime
I upgrade FBSD. I quickly glanced at the man page for loader.conf and it seems
that you can have modules & flags set in the file. So I jus
> Still reading on this ipfilter for use with ppp0. I made a set of rules
> andd tested them out with ipftest and it just hung there. in controlled c
> out of it no problem. Whatever.
what ipfilter are you using on which version of FreeBSD ?
kernel, module ?
> I am cinfused as to what i sho
On Mon, 16 Oct 2000, Gabriel Ambuehl wrote:
> Hello,
> I like ipfilter pretty much and after the recent release of 3.4.11 I'm
> wondering if there are any plans to merge it into 4-STABLE (where's
> still 3.4.8 which has got some issues with the FTP proxy)?
Are there known problems with 3.4.8 that
On Fri, Aug 18, 2000 at 01:59:14PM -0500, Shawn Barnhart wrote:
> While I'm creating a potential religious debate, does ipfilter allow you
> to output your rules in a format that enables them to be read in by ipf?
> In other words, can you do ipf list > foo and then do ipf add -f foo ?
>
> One th
On Fri, 21 Jul 2000, Loren Koss wrote:
> On Fri, 21 Jul 2000 [EMAIL PROTECTED] wrote:
> > I just tried...
> >
> > rdr wb0 x.x.x.x/32 port 79 -> y.y.y.y port 79 tcp
> > rdr wb0 x.x.x.x/32 port 13 -> y.y.y.y port 13 tcp
> >
> > ...and could telnet to both port 79 and 13 on y.y.y.y with no
> > pro
Whoa.. from outside your network you could telnet to y.y.y.y?? For me, I
wont be able to since it is a 192.168.1.x network.. from inside my
network, sure I can telnet to it.. Did you mean you could telnet to
x.x.x.x 79 and 13?
Regarding whats not working, when i call ipnat -f ipnat.conf it say
On Thu, 20 Jul 2000, Loren Koss wrote:
> Has anyone tried to redirect more than one port using IPNat? It doesn't
> seem to work.. Is there a patch?
>
> rdr rl0 a.b.c.d port 80 -> 192.168.1.10 port 80
> rdr rl0 a.b.c.d port 2000 -> 192.168.1.10 port 2000
>
> The second one wont work..
I just t
On Jun 3, 3:57am, Ilya Balashov (possibly) wrote:
> i using freebsd 3.2-stable with ipfw... for some reasons, i try to change
> ipfw (options IPFIREWALL) and ipf (options IPFILTER)...
>
> but after reconfigure my system with ipfilter (NAT+accounting+some blocking
> rules), i have critical proble
47 matches
Mail list logo
