Subject: Re: IP-Filter changes wrt keeping state
To: Hauke Fath <hauke@Espresso.Rhein-Neckar.DE>
From: Martin J. Laubach <mjl@NetBSD.org>
List: tech-net
Date: 11/02/2005 21:30:04
| >  I basically have access lists for each interface. On the internal
| >one I do
| >
| >	block in all on internal-IF head 10
| >	pass out proto tcp from any to any port = 1234 keep state group 10
| >
| >  and on the external one
| >
| >	block out all on external-IF head 20
| >	pass out proto tcp from any to 1.2.3.4 port = 1234 keep state group 20
| >
| >  Under 1.6 this worked fine, restricting the reachable hosts for port
| >1234 to 1.2.3.4. Under 2.0, this lets connect to ANY host on port 1234.
| 
| Is the rule set supposed to be complete? External has an implicit 'pass in
| all', right? And internal an implicit 'pass out all'? Unless you configure
| your kernel with IPF_DEFAULT_BLOCK...

  Yes, that's a complete minimal ruleset for reproducing the problem.
I do have a IPF_DEFAULT_BLOCK in place and the kernel is in fact 2.1.

NetBSD fw.emsi.priv.at 2.1 NetBSD 2.1 (CACTUS) #0: Tue Oct 25 17:05:57 CEST 2005  mjl@asparagus.emsi.priv.at:/home/users/mjl/netbsd/cvs/src/sys20/arch/i386/compile/CACTUS i386

  Should I upgrade to netbsd-3 to get a more reasonable ip filter?

	mjl