Re: 'keep state' broken after recent ipfilter update?

To: mk%kilbi.de@localhost
Subject: Re: 'keep state' broken after recent ipfilter update?
From: Darren Reed <darrenr%netbsd.org@localhost>
Date: Sat, 31 May 2008 14:19:56 -0700

Markus wrote:


I've just updated a -current i386 machine acting as a ipf/ipnat router
to actual -current (complete built from scratch) including ipfilters
update

 http://mail-index.netbsd.org/source-changes/2008/05/20/msg006544.html

Now a ipf.conf sequence of

 block in log on ex0 all
 pass out quick on ex0 proto tcp from [local-ip-addr] to any flags S/SA
keep state

no longer allows outgoing tcp connections (on ex0 from
[local-ip-addr]) which was working before this ipfilter update. Now
incoming tcp packets as a response to the outgoing connection are
blocked by the first rule.

Does anybody else see this? Is this a intended (config) change?


So, I've just installed 20080527 and I'm definately seeing
some strange behaviour that results in packets being blocked
that shouldn't be.  Even doing a simple "telnet foo" gets a
stalled connection, so I'll be looking at this more closely
over the weekend.

Darren

Prev by Date: Re: ipf/ipnat behavior
Next by Date: Re: ipf/ipnat behavior
Previous by Thread: Re: 'keep state' broken after recent ipfilter update?
Next by Thread: daily CVS update output
Indexes:

Home | Main Index | Thread Index | Old Index