kern/106438: ipfilter: keep state does not seem to allow replies in on spar64 (and maybe others)

Manuel Tobias Schiller mala at hinterbergen.de
Thu Dec 7 03:00:50 PST 2006 

The following reply was made to PR kern/106438; it has been noted by GNATS.

From: Manuel Tobias Schiller <mala at hinterbergen.de>
To: Remko Lodder <remko at elvandar.org>
Cc:  
Subject: Re: kern/106438: ipfilter: keep state does not seem to allow replies in on spar64 (and maybe others)
Date: Thu, 7 Dec 2006 11:51:26 +0100

 Hello,
 
 thanks for the quick reply.
 
 On Thu, Dec 07, 2006 at 10:16:19AM +0100, Remko Lodder wrote:
 > Hello,
 > 
 > 
 > > My ipf.rules has the following lines for the outgoing network interface (I stripped things down to make sure I understand what's happening):
 > > 
 > > pass out quick on hme3 proto tcp from 192.168.x.x to any port = domain flags S keep state
 > > pass out quick on hme3 proto udp from 192.168.x.x to any port = domain keep state
 > > block out quick on hme3
 > > 
 > > block in quick on hme3
 > > 
 > > On the old machine (a pentium box) running FreeBSD 5.5, this would allow out DNS queries, e.g.
 > > 
 > > dig @192.168.x.y www.freebsd.org
 > > 
 > > would work as expected. Now, I can use tcpdump -ni hme3 to look at the packets going out, and I can see the replies coming back, but the replies get blocked by the block rule for the inbound section. Strangely enough, ipfstat -t lists the udp connection, so I assume that the kernel intends to let the replies pass, but somehow it does not seem to do so.
 > > 
 > > I tested things by cvsupping to RELENG6_1 and later STABLE during this week, recompiled things using
 > > 
 > 
 > 	First of all thanks for using FreeBSD!
 
 Thanks for making a fine OS which has not let me down for quite some time.
 (Had the old machine's hardware not died, I would still be perfectly happy
 with it ;)
 In fact, using FreeBSD makes it much less of a pain to set up a decent
 server/router/firewall than most other OSs that I've seen (if you prefer
 to know what happens on your machine - if you don't care, most Linux
 distros are probably ok as well ;).
 
 > 	If you run ipmon, what kind of details do you see in the log? It mentions where it is blocked and you
 > 	can review that rule with ipfstat -hion (list everything in out, do not resolve and show the amount
 > 	of hits on the rule)
 
 I'll do that tonight and let you know what happens. (I've had a look at the
 output of ipfstat, but I don't remember what ipmon logs right now.).
 However, from what I remember, the ipfstat shows that the pass rule for
 udp domain packets triggers and packets out pass, on the way in the block
 rule in the inbound section triggers and blocks the replies. I only have
 the three rules I mentioned above on the interface in question.
  
 > 	Thanks in advance
 
 What for? I have asked for help. ;) So thanks for providing a start.
 
 > -- 
 > Kind regards,
 > 
 >      Remko Lodder               ** remko at elvandar.org
 >      FreeBSD                    ** remko at FreeBSD.org
 > 
 >      /* Quis custodiet ipsos custodes */
 > 
 
 Kind regards,
 
 Manuel Schiller
 
 -- 
 Homepage: http://www.hinterbergen.de/mala
 OpenPGP: 0xA330353E (DSA) or 0xD87D188C (RSA)

More information about the freebsd-bugs mailing list