Subject: Re: IP-Filter changes wrt keeping state
To: Martin J. Laubach <mjl@NetBSD.org>
From: Hauke Fath <hauke@Espresso.Rhein-Neckar.DE>
Date: 11/02/2005 20:05:51
At 14:39 Uhr +0000 2.11.2005, Martin J. Laubach wrote:
> I recently upgraded my firewall machine from 1.6 to 2.0 and
>found that something in ip-filter seems to have changed in a
>rather strange way.
Apart from the problem in question, 2.0 came with an early 4.x version of
ipfilter that has, erm, "interesting features". I'd recommend upgrading at
least to 2.1, or even tracking netbsd-3, which is what I do on two
> I basically have access lists for each interface. On the internal
>one I do
> block in all on internal-IF head 10
> pass out proto tcp from any to any port = 1234 keep state group 10
> and on the external one
> block out all on external-IF head 20
> pass out proto tcp from any to 22.214.171.124 port = 1234 keep state group 20
> Under 1.6 this worked fine, restricting the reachable hosts for port
>1234 to 126.96.36.199. Under 2.0, this lets connect to ANY host on port 1234.
Is the rule set supposed to be complete? External has an implicit 'pass in
all', right? And internal an implicit 'pass out all'? Unless you configure
your kernel with IPF_DEFAULT_BLOCK...
I tend to set things up the other way round: Block or pass with state on
incoming packets. But we have >2 interfaces.
"It's never straight up and down" (DEVO)