kern/75601: ipfilter not allowing SSH to box on FreeBSD 5.3

Nick Hale nhale at
Mon Jan 10 03:00:51 PST 2005

The following reply was made to PR kern/75601; it has been noted by GNATS.

From: "Nick Hale" <nhale at>
To: "Giorgos Keramidas" <keramida at>
Cc: <bug-followup at>
Subject: Re: kern/75601: ipfilter not allowing SSH to box on FreeBSD 5.3
Date: Mon, 10 Jan 2005 04:53:29 -0600

 Lets add this in to the fray (this should help justify why I don't think 
 it's a rules issue...)  This does not happen on all of our boxes (most of 
 which are 5.3 boxes, 2 4.10 boxes).  The ruleset from box to box is 
 IDENTICAL.  diff shows nothing different about the 2 files from 2 different 
 servers.  This being said, we have 2 boxes on the same subnet at a 
 datacenter.  They're sequential IP addresses using the same gateway.  One 
 box has this issue, one does not.  Both were updated the exact same way 
 using the exact same sources from cvsup4 (both updated at the same time). 
 The rulesets, again, are identical.  It seems to be a quasi-sporadic issue 
 that is in no way related to the rulesets we are using (I doublechecked the 
 syntax using man 5 ipf and the syntax is indeed proper.  This is the main 
 reason why I'm so adamant that it is not the ruleset causing this issue.
 Both boxes are RELENG_5_3 with world/kernel built the same day within 1 hour 
 of eachother.
 ipf: IP Filter: v3.4.35 (336)
 That's the same version running on both boxes.  The kernel configs of the 2 
 boxes are identical as well (both have identical hardware) and the kernel 
 configs were copied from one to the other.  I *highly* doubt at this point 
 that it's going to be a rules issue.
 ----- Original Message ----- 
 From: "Giorgos Keramidas" <keramida at>
 To: "Nick Hale" <nhale at>
 Cc: <bug-followup at>
 Sent: Sunday, January 09, 2005 18:15
 Subject: Re: kern/75601: ipfilter not allowing SSH to box on FreeBSD 5.3
 > On 2005-01-10 00:10, Nick Hale <nhale at> wrote:
 >>  Correct.  It should be that way.  Pass in packets from this host to
 >>  any ip locally and pass out packets from any ip locally to this host
 >>  is technically what those rules say.  I've been using that setup now
 >>  since the boxes were running 5.0 without change and it's always
 >>  worked up until now.
 > The fact that it worked until 5.0 is probably a happenstance.  It's not
 > correct.  The correct filter rules are (as of 5.2.1-RELEASE IIRC):
 > pass in any packet destined to a local ip address
 > pass out any packet originating from a local ip address

More information about the freebsd-bugs mailing list