Subject: Re: Trouble with IP Filter 3.3.6 after NetBSD 1.4.2 upgrade...
To: Brian Stark <bstark@uswest.net>
From: Manuel Bouyer <bouyer@antioche.lip6.fr>
List: netbsd-help
Date: 04/10/2000 10:48:38
On Mon, Apr 10, 2000 at 03:10:51AM -0500, Brian Stark wrote:
>
> So, I'm really confused... the filtering I do for icmp traffic appears to
> work, but the tcp traffic filtering seems broken.
>
> If it helps to understand the basic layout of my config file, it is like
> this:
>
> callisto:{root}# cat /etc/ipf.conf | grep head
> block in quick on ppp0 all head 100
> block in quick on ppp0 proto tcp all head 110 group 100
> block in quick on ppp0 proto udp all head 120 group 100
> block in quick on ppp0 proto icmp all head 130 group 100
> block in quick on ppp0 proto igmp all head 140 group 100
> block out quick on ppp0 all head 200
> callisto:{root}#
>
>
> Could it be that there is something wrong in IP Filter 3.3.6, or perhaps
> there is a necessary change for the config file that I am not aware of?
>
> Would it make any sense to try this with a newer version of IP Filter
> (latest appears to be 3.3.12)? I downloaded the version 3.3.12 from
> coombs.anu.edu.au and while reviewing the HISTORY file I came across the
> following entry that looked interesting:
>
> 3.3.8 01/02/2000 - Released
>
> fix state handling of SYN packets.
I think this is related to 'keep state', which you don't seem to use here.
Could you also post the rules for the group 200 ? It's possible that the
TCP packets comes in but the ansewr never gets out.
You could check this with tcpdump and netstat, while trying to connect.
--
Manuel Bouyer, LIP6, Universite Paris VI. Manuel.Bouyer@lip6.fr
--