Subject: Re: ipfilter changes in 1.4.2
To: Scott Bartram <>
From: Manuel Bouyer <>
List: tech-net
Date: 04/24/2000 13:06:55
On Sun, Apr 23, 2000 at 10:58:40PM -0400, Scott Bartram wrote:
> I just upgraded a router box from 1.4 to 1.4.2. This system has been
> running fine for well over a year using ipf and ipnat. The ipf inbound
> rules used to filter using the static PPP address obtained from the ISP.
> Now it seems that NAT is done before filtering.
> a) Is it true that NAT is now done pre-filter? Based on the ipfilter website
>    it appears to be the case.

Yes, I ran into this as well.

> b) This seems more likely to open holes since I have to write rules that
>    allow packets through that have my internal (private) addresses as the
>    destination or am I missing something?

In fact the previous behavior was a bug :)
The new behavior cause problems only if you use ftp or rsh proxy (that is,
protocols that need incoming TCP connections to dynamic ports).
But the rigth thing to do here would be to have to ftp or rsh proxy
dynamically update the filters when required. Darren, are you listening ? :)

Manuel Bouyer <>