Re: 'keep state' broken after recent ipfilter update?

To: Markus W Kilbinger <mk%kilbi.de@localhost>
Subject: Re: 'keep state' broken after recent ipfilter update?
From: Jim Bernard <jbernard%mines.edu@localhost>
Date: Thu, 22 May 2008 17:46:42 -0600

On Thu, May 22, 2008 at 11:27:01AM +0200, Markus W Kilbinger wrote:
> I've just updated a -current i386 machine acting as a ipf/ipnat router
> to actual -current (complete built from scratch) including ipfilters
> update
> 
>   http://mail-index.netbsd.org/source-changes/2008/05/20/msg006544.html
> 
> Now a ipf.conf sequence of
> 
>   block in log on ex0 all
>   pass out quick on ex0 proto tcp from [local-ip-addr] to any flags S/SA keep 
> state
> 
> no longer allows outgoing tcp connections (on ex0 from
> [local-ip-addr]) which was working before this ipfilter update. Now
> incoming tcp packets as a response to the outgoing connection are
> blocked by the first rule.
> 
> Does anybody else see this? Is this a intended (config) change?

  Yes---ipfstat shows state-table entries being created, but packets from
the remote host are still blocked, for both incoming and outgoing connections.
I also changed hardware on the affected host, so I wasn't sure whether it
was the ipfilter change or something I botched in the transfer to the new
hardware.  I built the system from May 20 sources.

  I also have wondered whether it's an intentional config change.

--Jim

References:
- 'keep state' broken after recent ipfilter update?
  - From: Markus W Kilbinger

Prev by Date: Re: current kernels hang on i386 and amd64
Next by Date: More on -current's ipf problems
Previous by Thread: 'keep state' broken after recent ipfilter update?
Next by Thread: Re: 'keep state' broken after recent ipfilter update?
Indexes:

Home | Main Index | Thread Index | Old Index