Re: IPF 4.1.29 problems

[Martti Kuparinen <martti.kuparinen%iki.fi@localhost>]

Manuel Bouyer wrote:

> My workaround is to use the 'age' keyword, with different timeouts for

This was easier than I thought, I only modified my generic rules at the end of 
ipf.conf. So this is what I have now, I'll report if this does not fix my 
problems...


 ###############################################################################
 # Allow everything out
-###############################################################################
-pass out quick proto tcp  from any to any flags S        keep state keep frags
-pass out quick proto udp  from any to any                keep state keep frags
-pass out quick proto icmp from any to any icmp-type echo keep state
-pass out quick proto gre  from any to any                keep state keep frags
-pass out quick proto esp  from any to any                keep state keep frags
-pass out quick proto sctp from any to any                keep state keep frags
+#
+# Added "age XXX" to work around state problems, see
+# http://mail-index.netbsd.org/current-users/2008/10/20/msg005251.html
+# http://mail-index.netbsd.org/current-users/2008/10/20/msg005263.html
+#
+###############################################################################
+pass out quick proto tcp  from any to any flags S \
+  keep state (age 14400) keep frags
+pass out quick proto udp  from any to any \
+  keep state (age 600) keep frags
+pass out quick proto icmp from any to any icmp-type echo \
+  keep state (age 60)
+pass out quick proto gre  from any to any \
+  keep state (age 3600) keep frags
+pass out quick proto esp  from any to any \
+  keep state (age 3600) keep frags
+pass out quick proto sctp from any to any \
+  keep state (age 3600) keep frags