Current-Users archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Trouble with IPF



All,

I've recently upgraded to current as of this morning.  I've noticed that there
is one web site to which I cannot connect.  With ipf off, I can down load the
page.  With ipf on, I cannot.  Using tcpdump, I gathered the following.

without ipf:
11:22:07.066486 IP 67.171.200.210.64824 > 174.142.250.228.80: Flags [S], seq 349
11:22:07.155871 IP 174.142.250.228.80 > 67.171.200.210.64824: Flags [S.], seq 39
11:22:07.155936 IP 67.171.200.210.64824 > 174.142.250.228.80: Flags [.], ack 1, 
11:22:07.156049 IP 67.171.200.210.64824 > 174.142.250.228.80: Flags [P.], seq 1:
11:22:07.246033 IP 174.142.250.228.80 > 67.171.200.210.64824: Flags [.], ack 123
11:22:08.355267 IP 174.142.250.228.80 > 67.171.200.210.64824: Flags [.], seq 1:1
11:22:08.355621 IP 174.142.250.228.80 > 67.171.200.210.64824: Flags [.], seq 144
...



with ipf:
11:32:52.529670 IP 67.171.200.210.64811 > 174.142.250.228.80: Flags [S], seq 388
11:32:52.619857 IP 174.142.250.228.80 > 67.171.200.210.64811: Flags [S.], seq 23
11:32:53.262922 IP 174.142.250.228.80 > 67.171.200.210.64812: Flags [S.], seq 18
11:32:53.862746 IP 174.142.250.228.80 > 67.171.200.210.64811: Flags [S.], seq 23
11:32:55.862626 IP 174.142.250.228.80 > 67.171.200.210.64811: Flags [S.], seq 23
<hang>



Only the one packet leaves my machine, the rest are stopped.  I can see the
session in ipfstat -t.  It shows:

Source IP             Destination IP         ST  PR    #pkts    #bytes       ttl
67.171.200.210,64811  174.142.250.228,80    1/0  tcp       1        64      3:21



The interesting parts of my ipf.conf are:

# Group heads
#
block in quick on re0 all head 100
block out quick on re0 all head 150

# In incoming traffic
#
block in quick on re0 proto tcp all with short group 100
block in quick on re0 proto tcp all with ipopts group 100
pass in quick on re0 proto icmp all group 100

# outgoing traffic
#
pass out quick on re0 proto tcp from any to any keep state group 150
pass out quick on re0 proto udp from any to any keep state group 150
pass out quick on re0 proto icmp from any to any group 150 


Any help and/or suggestions would be appreciated.


Aran


Home | Main Index | Thread Index | Old Index