Current-Users archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: 'keep state' broken after recent ipfilter update?



On Thu, May 22, 2008 at 11:27:01AM +0200, Markus W Kilbinger wrote:
> I've just updated a -current i386 machine acting as a ipf/ipnat router
> to actual -current (complete built from scratch) including ipfilters
> update
> 
>   http://mail-index.netbsd.org/source-changes/2008/05/20/msg006544.html
> 
> Now a ipf.conf sequence of
> 
>   block in log on ex0 all
>   pass out quick on ex0 proto tcp from [local-ip-addr] to any flags S/SA keep 
> state
> 
> no longer allows outgoing tcp connections (on ex0 from
> [local-ip-addr]) which was working before this ipfilter update. Now
> incoming tcp packets as a response to the outgoing connection are
> blocked by the first rule.
> 
> Does anybody else see this? Is this a intended (config) change?

  Yes---ipfstat shows state-table entries being created, but packets from
the remote host are still blocked, for both incoming and outgoing connections.
I also changed hardware on the affected host, so I wasn't sure whether it
was the ipfilter change or something I botched in the transfer to the new
hardware.  I built the system from May 20 sources.

  I also have wondered whether it's an intentional config change.

--Jim


Home | Main Index | Thread Index | Old Index