Subject: IP-Filter changes wrt keeping state
To: None <>
From: Martin J. Laubach <>
List: tech-net
Date: 11/02/2005 14:39:09
  I recently upgraded my firewall machine from 1.6 to 2.0 and
found that something in ip-filter seems to have changed in a
rather strange way.

  I basically have access lists for each interface. On the internal
one I do

	block in all on internal-IF head 10
	pass out proto tcp from any to any port = 1234 keep state group 10

  and on the external one

	block out all on external-IF head 20
	pass out proto tcp from any to port = 1234 keep state group 20

  Under 1.6 this worked fine, restricting the reachable hosts for port
1234 to Under 2.0, this lets connect to ANY host on port 1234.

  I'm a bit stumped -- has something dramatic changed or is my ipf.conf
logic flawed?