kern/79416: ipf in 4.11 breaks POLA
Spartak Radchenko
spartak at aif.ru
Fri Apr 8 11:20:08 PDT 2005
The following reply was made to PR kern/79416; it has been noted by GNATS.
From: Spartak Radchenko <spartak at aif.ru>
To: freebsd-gnats-submit at FreeBSD.org, devteam at donut.ugcs.caltech.edu
Cc:
Subject: Re: kern/79416: ipf in 4.11 breaks POLA
Date: Fri, 08 Apr 2005 22:14:25 +0400
BTW, UDP is also affected.
Here is my test ruleset for traceroute:
block in log all
pass in quick proto udp from any to any port 33434 >< 33690
pass out proto icmp from any to any keep state
Host with this ruleset can be tracerouted from outside in 4.8, 4.9.
4.10. But not in 4.11. Counter for last rule is incremented for each
outbound icmp unreach, however. Is it a bug or not? I am not sure.
And this ruleset works in 4.11:
block in log all
pass in quick proto udp from any to any port 33434 >< 33690
pass out quick proto icmp from any to any icmp-type unreach
pass out proto icmp from any to any keep state
--
Spartak Radchenko SVR1-RIPE
More information about the freebsd-bugs
mailing list