kern/79416: ipf in 4.11 breaks POLA

Giorgos Keramidas keramida at freebsd.org
Fri Apr 8 18:02:48 PDT 2005


On 2005-04-08 18:00, Spartak Radchenko <spartak at aif.ru> wrote:
> This ruleset worked OK in 4.8, 4.9, 4.10 (all outbound tcp
> connections, incoming connections on port 80):
>
> block in log all
> pass in quick proto tcp from any to any port = 80
> pass out proto tcp from any to any keep state
>
> Yes, I know that such ruleset is not recommended in ipfilter how-to,
> but it worked anyway.

The correct way to do the same thing is:

    block in log all
    pass in quick proto tcp from any to any port = 80 keep state
    pass out proto tcp from any to any keep state

You're missing a "keep state" in the incoming rule.

> And I think that "not recommended" doesn't mean "strictly prohibited".

IMHO, it does mean "not guaranteed to work" though ;-)

> In 4.11 incoming connections to port 80 do not work any more. The
> ruleset must be modified:
>
> block in log all
> pass in quick proto tcp from any to any port = 80
> pass out quick proto tcp from any port = 80  to any
> pass out  proto tcp from any to any keep state

This is still wrong.


More information about the freebsd-bugs mailing list