[IPF] Rules just don't work for me

T

thefueley

I have a simple ipf.rules setup. My interface is fxp0 but when I have that in my config file, it blocks everything. I can't ping or shell in.

Code: 
pass in quick on lo0 all
pass out quick on lo0 all

pass out quick on fxp0 proto udp from any to 10.10.10.1 port = 53 keep state
pass out log quick on fxp0 proto udp from any to any port = 67 keep state
pass in quick on fxp0 proto icmp from any to any icmp-type 8 keep state
pass in quick on fxp0 proto tcp from any to any port = 22 flags S keep state

block in log first quick on fxp0 all
block out log first quick on fxp0 all

So I tried to fix it by changing the fxp0 part to any. I was able to login but I noticed that it wasn't reflecting my successful logins (ssh) in ipfstat -ih. I changed the ping and ssh rules to block instead. They didn't block. So as far as I can tell, the any part for the interface really did nothing for me except allow everything in. Any ideas?
 
Turn on the log function and you will see [bad in] error message on each packet. FreeBSD release version 7.x through 9.0 are all running ipfilter version 4.1.28. This version of ipfilter has a known bug [since 2009] with interfaces that use a hardware checksum function. It seems that motherboards with builtin NICs come with the hardware checksum function enabled. Issue this command from the command line to disable the hardware checksum function: ifconfig fxp0 -rxcsum and your problem will go away.
 
Ipfilter is not maintained by the FreeBSD development team. It's ported from an open source provider. Ipfilter is now at 5.1.1 version and FreeBSD still stays at version 4.1.28. I have posted PR's to get a current version imported into FreeBSD. But the PR is always closed before any real investigation is done about refreshing to a newer version. This subject never gets to the notice of the release team so nothing gets done to correct it. Send in your own pr and see what happens.
 
You are awesome! It did work for me. Is there a way to make the -rxcsum permanent? The setting disappears after a reboot.
 
You must log in or register to reply here.
Back
Top