netbsd-users: ipf: keep state on udp for low port numbers?

Subject: ipf: keep state on udp for low port numbers?
To: None <netbsd-users@netbsd.org>
From: Florian Stoehr <netbsd@wolfnode.de>
List: netbsd-users
Date: 07/17/2005 00:44:47

Hi,

consider the following ipf ruleset:

block in log all
pass out log quick on rtk0 all keep state

From the ipf documentation, "keep state" should let any udp (and tcp) 
packet in if the reverse direction was <= 60 seconds ago.

Why does it NOT work in this case (perhaps a problem as this is 
a "privileged port" < 1023) ?

ipmon log output:

16/07/2005 21:24:41.434580 rtk0 @0:2 p 10.0.2.10,64370 -> 10.0.0.1,53 PR 
udp len 20 60 K-S OUT
16/07/2005 21:24:41.435017 rtk0 @0:2 p 10.0.0.1,53 -> 10.0.2.10,64370 PR 
udp len 20 106 K-S IN
                ^^^^^^ OK, worked, keep state

16/07/2005 21:24:41.436914 rtk0 @0:2 p 10.0.2.10,955 -> 10.0.0.1,111 PR 
udp len 20 84 K-S OUT
16/07/2005 21:24:41.438634 rtk0 @0:4 b 10.0.2.1,111 -> 10.0.2.10,955 PR 
udp len 20 56 IN
               ^^^^^^^ Why doesn't this work?

Furthermore, the state arrives in the state table (ipfstat -t):

10.0.2.10,955         10.0.0.1,111          0/0  udp       1        84 
1:57
10.0.2.10,64370       10.0.0.1,53           0/0  udp       1        60 
0:09

Now what's the problem here?

Thanks
Florian