1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

[IPF] Rules just don't work for me

Discussion in 'Firewalls' started by thefueley, Apr 29, 2012.

  1. thefueley

    thefueley New Member

    Messages:
    4
    Likes Received:
    0
    I have a simple ipf.rules setup. My interface is fxp0 but when I have that in my config file, it blocks everything. I can't ping or shell in.

    Code:
    pass in quick on lo0 all
    pass out quick on lo0 all
    
    pass out quick on fxp0 proto udp from any to 10.10.10.1 port = 53 keep state
    pass out log quick on fxp0 proto udp from any to any port = 67 keep state
    pass in quick on fxp0 proto icmp from any to any icmp-type 8 keep state
    pass in quick on fxp0 proto tcp from any to any port = 22 flags S keep state
    
    block in log first quick on fxp0 all
    block out log first quick on fxp0 all
    So I tried to fix it by changing the fxp0 part to any. I was able to login but I noticed that it wasn't reflecting my successful logins (ssh) in ipfstat -ih. I changed the ping and ssh rules to block instead. They didn't block. So as far as I can tell, the any part for the interface really did nothing for me except allow everything in. Any ideas?
     
  2. fbsd1

    fbsd1 New Member

    Messages:
    213
    Likes Received:
    0
    Turn on the log function and you will see [bad in] error message on each packet. FreeBSD release version 7.x through 9.0 are all running ipfilter version 4.1.28. This version of ipfilter has a known bug [since 2009] with interfaces that use a hardware checksum function. It seems that motherboards with builtin NICs come with the hardware checksum function enabled. Issue this command from the command line to disable the hardware checksum function: ifconfig fxp0 -rxcsum and your problem will go away.
     
  3. aa

    aa New Member

    Messages:
    48
    Likes Received:
    0
    Well.. that such a knowledge :)
    How come it passed out RELEASE unnoticed?
     
  4. fbsd1

    fbsd1 New Member

    Messages:
    213
    Likes Received:
    0
    Ipfilter is not maintained by the FreeBSD development team. It's ported from an open source provider. Ipfilter is now at 5.1.1 version and FreeBSD still stays at version 4.1.28. I have posted PR's to get a current version imported into FreeBSD. But the PR is always closed before any real investigation is done about refreshing to a newer version. This subject never gets to the notice of the release team so nothing gets done to correct it. Send in your own pr and see what happens.
     
  5. thefueley

    thefueley New Member

    Messages:
    4
    Likes Received:
    0
    You are awesome! It did work for me. Is there a way to make the -rxcsum permanent? The setting disappears after a reboot.
     
  6. thefueley

    thefueley New Member

    Messages:
    4
    Likes Received:
    0
    Actually, I got it. I found it under the interfaces section, within sysinstall. Thank you again!