Subject: ipf feature mask
To: None <email@example.com>
From: Patrick Welche <firstname.lastname@example.org>
Date: 07/07/2005 21:01:20
What is the Feature mask as output by ipf?
Essentially I am trying to track down a problem and ended up with the
following simple setup:
rtk0 is the external interface
xi0 is the internal interface
192.168.. is the internal client machine which makes a connection to
an external web server.
tape# ipfstat -io
block out all
block in all
pass in on xi0 proto tcp from any to any port = www flags S/FSRPAU keep state keep frags
tape# ipnat -l
List of active MAP/Redirect filters:
map rtk0 192.168.204.234/32 -> 184.108.40.206/32
List of active sessions:
MAP 192.168.204.234 1288 <- -> 220.127.116.11 1288 [18.104.22.168 80]
tape# ipf -V
ipf: IP Filter: v4.1.8 (396)
Kernel: IP Filter: v4.1.8
Log Flags: 0 = none set
Default: pass all, Logging: available
Active list: 0
Feature mask: 0x10a
That works fine. When I run the same rules on another computer, the SA packet
returning from the webserver does not make it back through the firewall.
They are both running today's -current/i386, and both have options IPFILTER_LOG
The only difference that I can spot is that the working computer has
Feature mask: 0x10a, whereas the broken setup has 0xa. (and bge0/ex0
instead of rtk0/xi0) What does this mean, and could it make a difference?