I want to just block a few classes that must be blocked. It seems like it's partly working , but not all packets are accessible. And moreover I cannot connect from outside. What is wrong? My FreeBSD is 7.3-Stable.
My WAN interface is vlan300 and vlan352 is for a user. The rule for blocking is:
I was trying also with:
instead of these 2 above. <mynet> contains adresses of my network: 79.110.192.0/20
I used tags because I thought it was be the best way, considering that I also have non-public classes that go through nat. In this case, the simplest one there's a public address. I'm opening the window for allowed IP with proper queuing.
Passing rules are:
79_110_199_199D is on vlan352 (specifically the physical interface em0)
79_110_199_199U is on vlan300 (em1)
Queue type is hfsc.
But still some packets are dropped
This topic is basically a continuation of my previous one. From this IP point of view, mostly all Internet connections seem to be working, dns in <my net> pool. This traffic should fall in default queue. But sometimes it gets stuck. Bandwidth tests are showing the right result for upload and download.
I cannot connect from my IP class (79.110.194.135) to this one (79.110.199.199). I haven't checked how it looks when someone announces connection from outside ( !<mynet> ).
My WAN interface is vlan300 and vlan352 is for a user. The rule for blocking is:
Code:
rule 28/0 block in log on vlan352 from 79.110.199.192/27 to <mynet>
rule 29/0 block in log on vlan352 from 79.110.199.192/27 to !<mynet>
I was trying also with:
Code:
block in log on vlan352 from 79.110.199.192/27 to any
I used tags because I thought it was be the best way, considering that I also have non-public classes that go through nat. In this case, the simplest one there's a public address. I'm opening the window for allowed IP with proper queuing.
Passing rules are:
Code:
pass quick from 79.110.199.199 to <mynet> keep state
pass in quick on vlan352 from 79.110.199.199 to !<mynet> tag FROM79_110_199_199 queue 79_110_199_199D
pass out quick on vlan300 tagged FROM79_110_199_199 queue 79_110_199_199U
pass in quick on vlan300 from !<mynet> to 79.110.199.199 tag TO79_110_199_199 queue 79_110_199_199U
pass out quick on vlan352 tagged TO79_110_199_199 queue 79_110_199_199D
79_110_199_199D is on vlan352 (specifically the physical interface em0)
79_110_199_199U is on vlan300 (em1)
Queue type is hfsc.
But still some packets are dropped
Code:
tcpdump: WARNING: pflog0: no IPv4 address assigned
tcpdump: listening on pflog0, link-type PFLOG (OpenBSD pflog file), capture size 96 bytes
rule 29/0(match): block in on vlan352: (tos 0x0, ttl 64, id 54312, offset 0, flags [DF], proto TCP (6), length 1500) 79.110.199.199.55073
> 87.239.219.82.59291: tcp 1480 [bad hdr length 0 - too short, < 20]
rule 29/0(match): block in on vlan352: (tos 0x0, ttl 64, id 56948, offset 0, flags [DF], proto TCP (6), length 1442) 79.110.199.199.55073
> 80.229.149.80.55511: tcp 1422 [bad hdr length 0 - too short, < 20]
rule 29/0(match): block in on vlan352: (tos 0x0, ttl 64, id 8242, offset 0, flags [DF], proto TCP (6), length 40) 79.110.199.199.55073
> 85.222.56.47.56705: [|tcp]
rule 29/0(match): block in on vlan352: (tos 0x0, ttl 64, id 8243, offset 0, flags [DF], proto TCP (6), length 52) 79.110.199.199.55073
> 85.222.56.47.56705: [|tcp]
rule 29/0(match): block in on vlan352: (tos 0x0, ttl 64, id 8244, offset 0, flags [DF], proto TCP (6), length 52) 79.110.199.199.55073
> 85.222.56.47.56705: tcp 32 [bad hdr length 0 - too short, < 20]
rule 29/0(match): block in on vlan352: (tos 0x0, ttl 64, id 8245, offset 0, flags [DF], proto TCP (6), length 52) 79.110.199.199.55073
> 85.222.56.47.56705: [|tcp]
rule 29/0(match): block in on vlan352: (tos 0x0, ttl 64, id 8246, offset 0, flags [DF], proto TCP (6), length 40) 79.110.199.199.55073
> 85.222.56.47.56705: [|tcp]
rule 28/0(match): block in on vlan352: (tos 0x10, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 52) 79.110.199.199.55022
> 79.110.194.135.43126: [|tcp]
rule 29/0(match): block in on vlan352: (tos 0x0, ttl 64, id 8247, offset 0, flags [DF], proto TCP (6), length 52) 79.110.199.199.55073
> 85.222.56.47.56705: tcp 32 [bad hdr length 0 - too short, < 20]
rule 29/0(match): block in on vlan352: (tos 0x0, ttl 64, id 54313, offset 0, flags [DF], proto TCP (6), length 40) 79.110.199.199.55073
> 87.239.219.82.59291: [|tcp]
rule 28/0(match): block in on vlan352: (tos 0x10, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 52) 79.110.199.199.55022
> 79.110.194.135.43126: [|tcp]
rule 29/0(match): block in on vlan352: (tos 0x0, ttl 64, id 54314, offset 0, flags [DF], proto TCP (6), length 52) 79.110.199.199.55073
> 87.239.219.82.59291: [|tcp]
rule 29/0(match): block in on vlan352: (tos 0x0, ttl 64, id 8248, offset 0, flags [DF], proto TCP (6), length 52) 79.110.199.199.55073
> 85.222.56.47.56705: tcp 32 [bad hdr length 0 - too short, < 20]
rule 28/0(match): block in on vlan352: (tos 0x10, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 52) 79.110.199.199.55022
> 79.110.194.135.43126: [|tcp]
rule 29/0(match): block in on vlan352: (tos 0x0, ttl 64, id 54315, offset 0, flags [DF], proto TCP (6), length 52) 79.110.199.199.55073
> 87.239.219.82.59291: [|tcp]
This topic is basically a continuation of my previous one. From this IP point of view, mostly all Internet connections seem to be working, dns in <my net> pool. This traffic should fall in default queue. But sometimes it gets stuck. Bandwidth tests are showing the right result for upload and download.
I cannot connect from my IP class (79.110.194.135) to this one (79.110.199.199). I haven't checked how it looks when someone announces connection from outside ( !<mynet> ).