[Solved] [IPF] Rules just don't work for me

thefueley · #1 April 29th, 2012, 07:20

I have a simple ipf.rules setup. My interface is fxp0 but when I have that in my config file, it blocks everything. I can't ping or shell in.

Code:

pass in quick on lo0 all
pass out quick on lo0 all

pass out quick on fxp0 proto udp from any to 10.10.10.1 port = 53 keep state
pass out log quick on fxp0 proto udp from any to any port = 67 keep state
pass in quick on fxp0 proto icmp from any to any icmp-type 8 keep state
pass in quick on fxp0 proto tcp from any to any port = 22 flags S keep state

block in log first quick on fxp0 all
block out log first quick on fxp0 all

So I tried to fix it by changing the fxp0 part to any. I was able to login but I noticed that it wasn't reflecting my successful logins (ssh) in ipfstat -ih. I changed the ping and ssh rules to block instead. They didn't block. So as far as I can tell, the any part for the interface really did nothing for me except allow everything in. Any ideas?

fbsd1 · #2 May 5th, 2012, 13:45

Turn on the log function and you will see [bad in] error message on each packet. FreeBSD release version 7.x through 9.0 are all running ipfilter version 4.1.28. This version of ipfilter has a known bug [since 2009] with interfaces that use a hardware checksum function. It seems that motherboards with builtin NICs come with the hardware checksum function enabled. Issue this command from the command line to disable the hardware checksum function: ifconfig fxp0 -rxcsum and your problem will go away.

aa · #3 May 5th, 2012, 16:08

Well.. that such a knowledge

How come it passed out RELEASE unnoticed?

fbsd1 · #4 May 6th, 2012, 14:21

Ipfilter is not maintained by the FreeBSD development team. It's ported from an open source provider. Ipfilter is now at 5.1.1 version and FreeBSD still stays at version 4.1.28. I have posted PR's to get a current version imported into FreeBSD. But the PR is always closed before any real investigation is done about refreshing to a newer version. This subject never gets to the notice of the release team so nothing gets done to correct it. Send in your own pr and see what happens.

thefueley · #5 May 7th, 2012, 01:34

You are awesome! It did work for me. Is there a way to make the -rxcsum permanent? The setting disappears after a reboot.

thefueley · #6 May 7th, 2012, 01:43

Actually, I got it. I found it under the interfaces section, within sysinstall. Thank you again!

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
[IPF] Regarding IPF rules	shesjustaglitch	Firewalls	1	April 2nd, 2012 06:38
[Solved] Network config don't work on FreeBSD but work on Ubuntu/Debian/OpenBSD; why ?	zyzuz	Networking	7	March 30th, 2012 19:07
my ipf rules	rill	Firewalls	2	October 18th, 2010 13:50
Are there any way to add new rules to pf without write the rules to the pf.conf	tanakorn	Firewalls	2	February 8th, 2010 09:09
[Solved] My first pf rules	locutus	Firewalls	6	October 13th, 2009 10:04

The Following User Says Thank You to fbsd1 For This Useful Post:
thefueley (May 7th, 2012)