IPFILTER_DEFAULT_BLOCK & No route to host
Stephen Hilton
nospam at hiltonbsd.com
Mon Sep 29 23:35:04 PDT 2003
On Mon, 29 Sep 2003 20:27:35 -0700 (PDT)
echelon <e_chelon at yahoo.com> wrote:
> Hi,
>
> After the option IPFILTER_DEFAULT_BLOCK is specified at kernel conf on FreeBSD 4.8 stable (cvsup'd
> with tag RELENG_4_8), the machine cannot be ping'd by others on the same network.
>
> In addition, the machine cannot ping itself.
>
> ping localhost (or 127.0.0.1) -> no route to host
> ping itself with its own ip address -> no route to host
>
> The freebsd box, with an external pppoe connection, is configured as a gateway with nat.
> Interestingly, all machines on the lan can access the internet via the freebsd box normally even
> though the freebsd box cannot be ping'd from these machines.
>
> The routing table is fine. All these problems go away if I remove the option
> IPFILTER_DEFAULT_BLOCK from the kernel conf. I make clean before buildworld/kernel.
>
You need to create and load an ipfilter rule set.
For a start create /etc/ipf.rules containing:
pass in on lo0 all
pass out on lo0 all
pass in on xl0 all
pass out on xl0 all
# * xl0 should be changed to your ethernet interface type.
Then in your /etc/rc.conf
ipfilter_enable="YES" # Set to YES to enable ipfilter functionality
ipfilter_program="/sbin/ipf" # where the ipfilter program lives
ipfilter_rules="/etc/ipf.rules" # rules definition file for ipfilter.
ipfilter_flags="-F a -f /etc/ipf.rules" # additional flags for ipfilter
This should get you started, good luck.
P.S. Cross posting is not usually a good idea, freebsd-questions is
the right place for stuff like this.
Cheers,
Stephen Hilton
nospam at hiltonbsd.com
More information about the freebsd-stable
mailing list