Jason Chambers wrote:
Hello all,
Wondering if anyone else can reproduce this ?
The kernel I have compiled includes VIMAGE with SCTP disabled. Might be
a contributing factor. Additionally, there's a problem with the em
interface.. see "em interface slow down on 8.0R".
To repr
Hello all,
Wondering if anyone else can reproduce this ?
The kernel I have compiled includes VIMAGE with SCTP disabled. Might be
a contributing factor. Additionally, there's a problem with the em
interface.. see "em interface slow down on 8.0R".
To reproduce, have IPF start at
Hugo Koji Kobayashi wrote:
Hello,
While making some tests with fragmented udp DNS responses (with
EDNS0), we discovered a possible problem with ipf and pf in FreeBSD
6.2 and 7.0 (200705 snapshot).
Our test is a DNS query to an DNSSEC enabled server which replies with
a ~4KB udp response. We do
Ok. I understand that, but in FreeBSD 4.11 it works and without the
"keep frags" the query is blocked. Is it just a misbehaviour of
an old ipf version?
And there is also the different behaviour of pf under OpenBSD. As I
understand, the "scrub" rule should reassemble the fr
>
> This should be rejected as "keep frags" is meaningless here.
>
> pass out log quick on bge0 proto udp from xxx.xxx.xxx.113/32 to any port = 53
> keep state keep frags
>
> You need
>
> pass in quick from any to any with frag keep frag
The reason is that "ip
This should be rejected as "keep frags" is meaningless here.
pass out log quick on bge0 proto udp from xxx.xxx.xxx.113/32 to any port = 53
keep state keep frags
You need
pass in quick from any to any with frag keep frag
--
Mark Andrews, ISC
1 Seymour St., Dun
Hello,
While making some tests with fragmented udp DNS responses (with
EDNS0), we discovered a possible problem with ipf and pf in FreeBSD
6.2 and 7.0 (200705 snapshot).
Our test is a DNS query to an DNSSEC enabled server which replies with
a ~4KB udp response. We do this with the following dig
WAN_IP/32
> |
> tun0
> |
> |-|
> | FreeBSD |
> |-|
> / \
> xl0 xl1
> / \
>
> 192.168.0.0/24 DMZ_BLOCK/29
>
> I often experience i
Hello,
Yesterday, when I looking for solution that can replace following command from
linux:
ip route add default via x.x.x.x src y.y.y.y
So I tried with ipf and execute following rule, (yes this is silly):
--
pass out quick on rl0 to rl0:y.y.y.y from x.x.x.x to any keep state
--
On rl0 I
hat's necessary.
I use ipfw with my Vonage service, but there's nothing special that I do
for NAT. I don't do ipf..
Louis Mamakos
Vladimir Botka wrote:
Hello,
if your "Vonage linksys RT31P2" talks H323 try /usr/ports/net/gatekeeper
in proxy mode.
Cheers,
Vladi
rent Setup
\--
I've tried various nap rules and ipf filter settings.. here are the
current mappings and setup.. the kernel is GENERIC w/ the debuggong
stuff put in it.
IPNAT RULES
map vr0 10.69.0.0/24 -> 0/32 proxy port ftp ftp/tcp
map vr0 10
Hi Damon,
Am 12.06.2005 um 23:02 schrieb Damon Hopkins:
Tracing pid 27 tid 100021 td 0xc15a4180
mcopydata(c17fa400,0,38,c193abc0,0) at m_copydata+0x28
ipllog(0,d3d46bc8,d3d46b50,d3d46b48,d3d46b40) at ipllog+0x1f1
ipflog(105819,c17fa450,d3d46bc8,c17fa400,0) at ipflog+0x18f
fr_check(c17fa450,14,c1
I can reproduce this very easily.. I pick up my phone and make a call
Current Setup
\--
I've tried various nap rules and ipf filter settings.. here are the
current mappings and setup.. the kernel is GENERIC w/ the debuggong
stuff put
It looks like ipf in not handling fragmented UDP respones
correctly. Is there anything in particular that I need to
say to ipf to make it process the fragments? Unfragemented
responses make it through the firewall. It appears to be
independent of
r_ipidtail = fra;
fra->ipfr_prev = ipfr_ipidtail;
ipfr_ipidtail = &fra->ipfr_next;
@@ -576,7 +583,7 @@
READ_ENTER(&ipf_ipidfrag);
ipf = fr_fraglookup(fin, ipfr_ipidtab);
if (ipf != NULL)
- id = (u_32_t)ipf->ip
Hi
I`ve tried to import IPF 4.1.8 into freebsd-stable (5.4). It's first time I
tried something similar. Problem is, that the kernel fails to compile (it
needs somewhere 3 parameters, but gets only 2... or what). I followed the
readme for freebsd-5. Any help ?
Jan Se
IPF in 4.11, 4-Stable breaks the semantics of icmp
keep-state rules. This problem was mentioned in
http://msgs.securepoint.com/cgi-bin/get/ipfilter-0503/31/1/2/1/1.html
I wouldn't make a fuss over this simple matter
except that this constitutes a POLA violation.
To that end, the followi
On Fri, Nov 05, 2004 at 09:30:33PM +0100, Derkjan de Haan wrote:
> >I can't seem to find any PR matching this problem, however...
> I have just filed my first PR. Let's see how it goes.
Duplicates PR 70492.
--
Paweł Małachowski
___
[EMAIL PROTECTED]
- Original Message -
From: "Dimitry Andric" <[EMAIL PROTECTED]>
To: "Derkjan de Haan" <[EMAIL PROTECTED]>
Cc: <[EMAIL PROTECTED]>
Sent: Friday, November 05, 2004 8:54 PM
Subject: Re: ipf
I can't seem to find any PR matching this problem, howe
On 2004-11-05 at 19:12:17 Derkjan de Haan wrote:
> I don't think that's the case here. I'm using a recent 4-stable and I'm
> seeing the same:
> ipf: IP Filter: v3.4.31 (336)
> Kernel: IP Filter: v3.4.35
Hm, now that you said this, I was reminded
There's your problem: your userland is out of sync with your kernel.
Just rebuild your system (i.e. kernel AND userland) to get rid of the
problem.
I don't think that's the case here. I'm using a recent 4-stable and I'm
seeing the same:
ipf: IP Filter: v3.4.31 (336)
K
On 2004-11-05 at 02:29:34 zen wrote:
> my problems are when i run ipfstat -t the source and destination ips
> are all zero.
==snip==
> ipf: IP Filter: v3.4.31 (336)
> Kernel: IP Filter: v3.4.35
There's your problem: your userland is out of sync with your kernel.
Just rebuild
-BEGIN PGP SIGNED MESSAGE-
Hash: MD5
Hi FreeBSDers ;
i have a few questions regarding ipf,
i,ve been searching through the web but still didnt find
the answer for my problem(s).
my problems are when i run ipfstat -t the source and destination ips
are all zero.
and when i look the version
ually firewalled. I could be
mistaken, but I don't think you can get ipf to filter bridged packets
in 4.9. You could use ipfw2 to do it though:
sysctl net.link.ether.bridge_ipfw=1
ipfw add deny layer2 mac-type ipv6 recv tun1
(You'll need to turn on ipfw2 to do this - see the ip
ually firewalled. I could be
mistaken, but I don't think you can get ipf to filter bridged packets
in 4.9. You could use ipfw2 to do it though:
sysctl net.link.ether.bridge_ipfw=1
ipfw add deny layer2 mac-type ipv6 recv tun1
(You'll need to turn on ipfw2 to do this - see the ip
t; it a problem in FreeBSD?
>
> Bridged packets are special and are not usually firewalled. I could be
> mistaken, but I don't think you can get ipf to filter bridged packets
> in 4.9. You could use ipfw2 to do it though:
>
> sysctl net.link.ether.bridge_ipfw=1
> ipf
telling them to log in. I have actually reworked my ipfw
rules so I dont need ipf anymore and its all working. :)
This thread can be dropped unless you all want to discuss the ordering
more. IMHO Christ is right.
Who's arguing?
Your original query was not specific enough.
Mabey
gt; p? http://dk.shopping.yahoo.com/pcsupport/index.html
> >>
> >>
> >>OTOH if you only need ipnat and not ipfilter you can do this...
> >>
> >>Don't compile in ipf. Turn on ipnat in rc.conf it will run after all the
> >> ipfw rules.
> >>
inutes of being done with it. I
retract that statement.
But, does anyone have any insight as to why it disappears from view
until ipmon reports that it has been closed? (I can't see it in the
ipfstat -t output)
> connection is closed, how does IPF determine how long to leave an entry
>
er (or so it appears). Once a
connection is closed, how does IPF determine how long to leave an entry
in the state table for? Is it based on the TTL of a packet finalizing
the close of the connection?
TIA
--
Ben Lovett
dear listmembers,
i would need some help on ipf
problem:
ipf firewall with ipnat won't allow to login on itself and won't allow
outgoing traffic from itself.
form the intranet (192.168.0..0/8) to the internet all works as i
wanted.
my ipf.rules is:
# i have read this should be
After cvsup'ing last night, and build, install, world, merging /etc, I found
that at bootup that ipf was not starting. The error message was very
difficult to see but it looked like somewhere
"fopen" was not able to open ipf. So as a quick fix I put my "ipf -Fa -f
In case I didn't make myself clear - I meant to say that you move the
user ppp section of the script so that it is right before the ipf
section. I'm filled with Nyquil and have a head cold right now, so I
apologize if I'm not totally coherent. ;-)
Janet Sullivan wrote:
>
&
You can edit /etc/rc.network and move the entire user ppp section of the
script right before the ipf section. Then ipf -y'ing won't be
necessary. It worked for me for several months - after editing
rc.network I just rebooted and from then on I didn't have to manually do
anyth
It will work, you just won't have a working firewall. I filed a PR
about this after discovering that ipf wasn't filtering _any_ packets
coming in. Yech. If you have a static address it may not be an
issue. I use dial-on-demand as well, but with a dynamic address.
- Mike H.
Dat
* Mike Harding <[EMAIL PROTECTED]> [010325 20:06]:
>
> You can specify interfaces by name in your rules - but you have to
> issue 'ipf -y' to sync up with interface address changes. I've done
> this with a dial-up line by putting 'ipf -y' in /etc/rc
Rasputin wrote:
> Afternoon people, just wondered if anyone was using ipf
> with 6-to-4 tunneling (a la freenet6.net)?
freenet6.net does not provide 6to4 tunneling. 6to4 tunelling uses the
stf(4) interface and not the gif(4) one.
Maxime
--
Don't be fooled by cheap finnish imitatio
Afternoon people, just wondered if anyone was using ipf
with 6-to-4 tunneling (a la freenet6.net)?
I'm on a dialup (using gifconfig to build a tunnel through tun0),
so there are no IPs mentioned in the ruleset, apart from
the usual RFC1918 suspects.
If I ping6 outbound to www.normos.org
nday, January 28, 2001 1:23 AM
Subject: Re: ipnat vs natd and ipf vs ipfw (fwd)
> On Sat, Jan 27, 2001 at 19:20 -0500, Espen Oyslebo wrote:
> >
> > Ipfw and ipf to my eye (without glasses that is) seem to do
> > pretty much the same thing. The same is true for ipnat and
> &
> Ipfw and ipf to my eye (without glasses that is) seem to do pretty much the same
> thing. The same is true for ipnat and natd. Of course there are differences
> between the two (ritgh?).
How do you map with a single rule a pool of private addresses into a pool of
real addresses
I have used ipfw because when I started ipfilter was only in the ports.
I have tried several times to use ipfilter but have been unable to
figure out how. The rules for ipfw are fairly simple and are processed
in order. It is easy for me to understand, write and debug them, bit
plus.
I hav
matthew zeier writes:
> Can anyone tell me the differences between ipf and ipfw ? Which is
> "better" ?
I've used both ipfilter and ipfw and found them both to be usable. I'm
currently using ipfilter on both FreeBSD and Solaris 2.6. Ipfilter rule
groups are a good id
On Sun, Oct 08, 2000 at 08:51:29PM -0700, matthew zeier wrote:
>
> I tried to apply
>
> http://www.swcp.com/~synk/ipfmerge.patch
>
> on 4.1.1 release.
>
> # cd /etc
> # patch < /tmp/ipfmerge.patch
>
> But got a lot of failed hunks. I don't know anything about patch - is
> my syntax correct?
Can anyone tell me the differences between ipf and ipfw ? Which is
"better" ?
- mz
--
matthew zeier - "There ain't no rules around here. We're trying to
accomplish something." - Thomas Edison
To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubsc
44 matches
Mail list logo
