Subject: IP-Filter changes wrt keeping state
To: None <tech-net@netbsd.org>
From: Martin J. Laubach <mjl@netbsd.org>
List: tech-net
Date: 11/02/2005 14:39:09
I recently upgraded my firewall machine from 1.6 to 2.0 and
found that something in ip-filter seems to have changed in a
rather strange way.
I basically have access lists for each interface. On the internal
one I do
block in all on internal-IF head 10
pass out proto tcp from any to any port = 1234 keep state group 10
and on the external one
block out all on external-IF head 20
pass out proto tcp from any to 1.2.3.4 port = 1234 keep state group 20
Under 1.6 this worked fine, restricting the reachable hosts for port
1234 to 1.2.3.4. Under 2.0, this lets connect to ANY host on port 1234.
I'm a bit stumped -- has something dramatic changed or is my ipf.conf
logic flawed?
mjl