IPfilter changes?

[Daniel Lang]

Hi Martin,

thanks for your quick reply,

Martin Stiemerling wrote on Tue, Apr 22, 2003 at 11:18:35AM +0200:
[..]
> the stuff below looks ok so far, i.e. it should work.
> Perhaps you can check with 'ipfstat -hio' (it shows the hit counts per 
> rule) where the intial TCP packet from your host 131.159.72.12 is 
> matched against a rule, especially this rule:
> > pass in quick from 131.159.72.12/32 to any

No this rule is not hit, but I did not expect it.
This rule just exists if the host connects to itself but
not using the loopback address.

The initial packet from my ssh test will of course be an
_outgoing_ packet and therefore is not expect to hit an
'in' rule.

However, ...

> If this doesn't help try to replace the state rule with this and check 
> whether this rule has been hit at all.
> > pass out quick proto tcp/udp from any to any keep state keep frags
This rule is hit quite often.


> NEW > pass out quick proto tcp from any to any flags S keep state keep frags
Ok. I will try to change this rule and see, if it helps.
YES. If I put this rule in front of the rule above, I immediately
get a connection.

What does that mean? The original rule of mine should be more general,
i.e. include the situation with the SYN flag set. But it doesn't?

Using this rule is a better workaround than to allow all hosts
explicitly, but it still doesn't help me with UDP I guess.

> IP Filter has neither changed rule processing nor a new keyword.
Thanks. I was going to say "it worked before" and "I did not change
anything else", but from my long experience with (l)users, this 
is _always_ a lie. ;-))

Best regards,
 Daniel
-- 
IRCnet: Mr-Spock              - Truth lies in the eye of the beholder - 
 Daniel Lang * dl at leo.org * +49 89 289 18532 * http://www.leo.org/~dl/