tech-net: Re: IP-Filter changes wrt keeping state

Subject: Re: IP-Filter changes wrt keeping state
To: None <tech-net@netbsd.org>
From: Martin J. Laubach <mjl@netbsd.org>
List: tech-net
Date: 11/02/2005 17:29:41

|    I recently upgraded my firewall machine from 1.6 to 2.0 and
|  found that something in ip-filter seems to have changed in a
|  rather strange way.

  I did some more experimenting: with the ipf.conf below, I would
expect connections on port 6667 to be blocked on ex0. However, I can
freely traverse the firewall to any host port 6667. So it looks to me
as if the "keep state" does not take the interface into account. I'm
pretty sure this was different in 1.6, am I mistaken...?

	mjl


---
# Note: ex0 = external interface, tlp0 = internal interface
pass in quick on lo0 all
pass out quick on lo0 all

pass in quick from any to any port = 22 keep state

block in on tlp0 from any to any head 10
pass in quick on tlp0 from any to any port = 6667 keep state group 10

block out on ex0 from any to any 
---