Current-Users archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

ipfilter not keeping state for some destinations


I updated to -current from earlier this week and found that I had
troubles browsing some particular sites.  When I turned IPFilter off the
sites loaded correctly.  I found this in my logs:

Aug 29 14:20:32 rover ipmon[468]: 14:20:32.361362 iwn0 @0:11 b,http -> rover,64225 PR tcp len 20 44 -AS IN
Aug 29 14:20:36 rover ipmon[468]: 14:20:36.708758 iwn0 @0:11 b,http -> rover,64225 PR tcp len 20 44 -AS IN 
Aug 29 14:20:37 rover ipmon[468]: 14:20:37.560490 iwn0 @0:11 b,http -> rover,64225 PR tcp len 20 40 -AR IN

The ip address is actually just  The firewall rules I
have are:

pass out quick on iwn0 proto tcp from any to any flags S keep state keep frags
pass out quick on iwn0 proto udp from any to any keep state keep frags
block in log on iwn0 all
There are a few others but these are the only relevant ones for the
interface in question.  The rule doing the blocking is the last rule
which is a catch-all block.  By the look of the logs my http request is
going out to the server but the reply related to my request is being
blocked.  This does not happen to all the web sites I visit, the vast
majority seem to work fine but there are a few, and that don't work.
Output of uname is:
NetBSD rover 6.99.10 NetBSD 6.99.10 (ROVER) #23: Mon Aug 27 08:00:21 CST
2012  toor@rover:/usr/src/sys/arch/amd64/compile/ROVER amd64

Any ideas what I am doing wrong?

Brett Lymn
The information contained in this email and any attached files is
confidential to BAE Systems Australia. If you are not the intended
recipient, any use, disclosure or copying of this email or any
attachments is expressly prohibited.  If you have received this email
in error, please notify us immediately. VIRUS: Every care has been
taken to ensure this email and its attachments are virus free,
however, any loss or damage incurred in using this email is not the
sender's responsibility.  It is your responsibility to ensure virus
checks are completed before installing any data sent in this email to
your computer."

Home | Main Index | Thread Index | Old Index