>Number:         26856
>Category:       kern
>Synopsis:       pass in ... keep state actually blocks some packets
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    kern-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Sun Sep 05 15:16:00 UTC 2004
>Closed-Date:
>Last-Modified:
>Originator:     Pave Cahyna
>Release:        2.0_BETA, ipf: IP Filter: v4.1.3 (396), Kernel: IP Filter: v4.1.3
>Organization:
>Environment:
NetBSD pcap 2.0_BETA NetBSD 2.0_BETA (GENERIC_DIAGNOSTIC) #0: Fri Sep 3 10:33:21 CEST 2004 pavel@pc:/mnt/obj/kompilace/jadra/compile/GENERIC_DIAGNOSTIC i386
>Description:
if there is a rule like "pass in on wi1 from 192.168.1.3 to any keep state", 
then ping replies from 192.168.1.3 are blocked. (on the firewall, I
run "ping 192.168.1.3", I see with tcpdump that echo requests go out and
echo replies from 192.168.1.3 come in, but ping reports that all the
packets are lost.)

If I change the line to "pass in on wi1 from 192.168.1.3 to any", ping
starts working.

If I remove the line completely, ping also starts working. (My default
is set to pass all.)

If I add the line "pass out on wi1 from 192.168.1.3 to any keep
state", ping also starts working.

This is IMHO wrong, because it violates the principe of least surprise
- one would not expect that adding a "pass" line will block some
packets. 

I do not remember seeing it before I upgraded to IPFilter 4.1.3, but
this may be wrong.
>How-To-Repeat:
See above.
>Fix:

>Release-Note:
>Audit-Trail:
>Unformatted: