On Mon, 10 Apr 2000, Manuel Bouyer wrote:

> >   fix state handling of SYN packets.
> 
> I think this is related to 'keep state', which you don't seem to use here.
> 
> Could you also post the rules for the group 200 ? It's possible that the
> TCP packets comes in but the ansewr never gets out.

These are the rules for group 200:

callisto:{root}# ipfstat -o -n | grep 200
@2 block out quick on ppp0 from any to any head 200
@1 block out quick on ppp0 from any to 192.168.0.0/16 group 200
@2 block out quick on ppp0 from any to 172.16.0.0/12 group 200
@3 block out quick on ppp0 from any to 10.0.0.0/8 group 200
@4 pass out quick on ppp0 proto tcp/udp from any to any keep state group
200
@5 pass out quick on ppp0 proto icmp from any to any keep state group 200
@6 block out log quick on ppp0 from any to any group 200
callisto:{root}# 

but, they shouldn't matter because my definition for inbound packets in
group 110 should automatically setup an implicit rule for the other
packets during the life of the connection (see section 3.2.  Implicit
Allow; The "keep state" Rule in the ipf-howto file at
http://www.obfuscation.org/ipf):

  pass   in log quick on ppp0 proto tcp from 161.134.0.0/16 to any port 19
    >< 24 flags S/SA keep state group 110

> You could check this with tcpdump  and netstat, while trying to connect.

I don't have too much experience with tcpdump, but I will give that a try.


Brian Stark
bstark@uswest.net