Subject: ipf not working right, resets not resetting
To: None <current-users@netbsd.org>
From: Andrew Brown <atatat@atatdot.net>
List: current-users
Date: 05/12/2000 14:25:49 
i've got these lines (machine running current from 5/4) in my
ipf.conf:

block return-rst in quick on ex0 proto tcp from any to 204.178.38.99/32 port != smtp
block return-rst in quick on ex0 proto tcp from any to 204.178.38.77/32 port = auth

and this tcpdump from a remote machine (running 1.3.3):

14:23:03.481296 198.67.15.13.4671 > 204.178.38.77.111: S 3384208866:3384208866(0) win 16384 <mss 1460,nop,wscale 0,nop,nop,timestamp 5188311 0> [tos 0x10]
                         4510 003c e45f 0000 4006 cdfc c643 0f0d
                         ccb2 264d 123f 006f c9b6 ede2 0000 0000
                         a002 4000 4d4a 0000 0204 05b4 0103 0300
                         0101 080a 004f 2ad7 0000 0000
14:23:03.493151 204.178.38.77.111 > 198.67.15.13.4671: R 0:0(0) ack 3384208867 win 0
                         4500 0028 8c11 0000 3d06 296f ccb2 264d
                         c643 0f0d 006f 123f 0000 0000 c9b6 ede3
                         5014 0000 1d38 0000 0000 0000 0000
14:23:05.533468 198.67.15.13.4672 > 204.178.38.99.24: S 3385835000:3385835000(0) win 16384 <mss 1460,nop,wscale 0,nop,nop,timestamp 5188316 0> [tos 0x10]
                         4510 003c e474 0000 4006 cdd1 c643 0f0d
                         ccb2 2663 1240 0018 c9cf bdf8 0000 0000
                         a002 4000 7d56 0000 0204 05b4 0103 0300
                         0101 080a 004f 2adc 0000 0000
14:23:05.544565 204.178.38.99.24 > 198.67.15.13.4672: R 0:0(0) ack 3385835001 win 0 (DF) [tos 0x10]
                         4510 0028 8c12 4000 3d06 e947 ccb2 2663
                         c643 0f0d 0018 1240 0000 0000 c9cf bdf9
                         5014 0000 76cd 0000 0000 0000 0000

where 204.178.38.77 is on ex0 and 204.178.38.99 is an alias on ex0.

the first reset works, but the second one is ignored (ie, the
connection eventually times out).  the only discernable difference i
can see is that the second reset has the tos copied and the df bit
set.  i didn't think this would affect tcp, since those are ip
features.

any ideas what i'm doing wrong?

-- 
|-----< "CODE WARRIOR" >-----|
codewarrior@daemon.org             * "ah!  i see you have the internet
twofsonet@graffiti.com (Andrew Brown)                that goes *ping*!"
andrew@crossbar.com       * "information is power -- share the wealth."