kern/79416: ipf in 4.11 breaks POLA
Spartak Radchenko
spartak at aif.ru
Fri Apr 8 11:00:21 PDT 2005
The following reply was made to PR kern/79416; it has been noted by GNATS.
From: Spartak Radchenko <spartak at aif.ru>
To: freebsd-gnats-submit at FreeBSD.org, devteam at donut.ugcs.caltech.edu
Cc:
Subject: Re: kern/79416: ipf in 4.11 breaks POLA
Date: Fri, 08 Apr 2005 21:58:19 +0400
The same applies to tcp rules.
This ruleset worked OK in 4.8, 4.9, 4.10 (all outbound tcp connections,
incoming connections on port 80):
block in log all
pass in quick proto tcp from any to any port = 80
pass out proto tcp from any to any keep state
Yes, I know that such ruleset is not recommended in ipfilter how-to, but
it worked anyway.
And I think that "not recommended" doesn't mean "strictly prohibited".
In 4.11 incoming connections to port 80 do not work any more. The
ruleset must be modified:
block in log all
pass in quick proto tcp from any to any port = 80
pass out quick proto tcp from any port = 80 to any
pass out proto tcp from any to any keep state
--
Spartak Radchenko SVR1-RIPE
More information about the freebsd-bugs
mailing list