Hi

I'm running an IPFilter based firewall in front of about 800 machines. I
use keep-state rules to enable outgoing traffic, and I have a keep-state
rule for each interface (one in, one out). 

After some time, it's getting hard to initiate a connection: the first
packet passes, according to the filter rules, but the state cache is not
updated. The reply packet comes and is blocked (because the state cache
does not say it should go through). I have to do ipf -F -S to get things
working again. I have to do it regularly using a crontab to get the
machine doing its job correctly.

I'm running 1.5.2/i386. Is there anything particular I should tune? Is
there a known bug? 

Other problem: I reply on keep-state to get ICMP messages about the
outgoing traffic to go in: the only ICMP type I explicitely allow in is
echo request. I expect ICMP port unreachable or ICMP source quench to go
in because of the keep state rule. Reading the sources, this seems fine:

        if ((type != ICMP_UNREACH) && (type != ICMP_SOURCEQUENCH) &&
            (type != ICMP_REDIRECT) && (type != ICMP_TIMXCEED) &&
            (type != ICMP_PARAMPROB))
                return NULL;

But what happens if the ICMP packet is not sent by the peer machine but
by a router which is in the way? Will the keep-state rule work for this?
Or do I need to explicitely allow ICMP unreachable, source quench, time
exceeded and parameter problem through the firewall to get theses
packets not blocked?

-- 
Emmanuel Dreyfus
manu@netbsd.org