Hi!

Just found out the first serious problem for the ipv4 case. It seems the
ipf.conf is not followed properly. Here are two rules from a running
system (that used to work just fine before the ipfilter 4.1.1 upgrade):

# for a fxp0 rule chain; before this we've checked interface & valid addr
block in log quick proto tcp/udp from any to any port = 53 head 10041 group 10021

Since these are old 3.4 type groups, there can be only one head, which is
the above. Here is the first rule from the 10041 group:

# GROUP 10041: fxp0 inbound DNS traffic
pass in quick proto udp from any to A.B.C.D port = 53 group 10041

And this is what shows up in the ipmon logs:

31/03/2004 11:04:39.622828 fxp0 @10041:9 b N.N.N.N,N -> A.B.C.D,53 PR udp len 20 67 IN


So, the packet is blocked even though there is a specific rule saying it
should pass. And according to ipmon, the packet was blocked by rule 9
from group 10041 (which is a default block all). Since the first rule
(shown above) is 'quick' and it should match, I can only assume that
there is a bug/problem soemwhere.

sendpr'd


(Hypothesis #2: the rule 10041:1 was previously "keep state", but in
trying to get DNS traffic through I removed it, and reloaded the rules
with '/etc/rc.d/ipfilter reload'; maybe the rules work but reloading
doesn't?)


Artsi
-- 
#######======------  http://www.selonen.org/arto/  --------========########
Everstinkuja 5 B 35                               Don't mind doing it.
FIN-02600 Espoo        arto@selonen.org         Don't mind not doing it.
Finland              tel +358 50 560 4826     Don't know anything about it.