kern/106438: ipfilter: keep state does not seem to allow replies in on spar64 (and maybe others)

Manuel Tobias Schiller mala at hinterbergen.de
Fri Dec 8 00:40:20 PST 2006 

The following reply was made to PR kern/106438; it has been noted by GNATS.

From: Manuel Tobias Schiller <mala at hinterbergen.de>
To: Remko Lodder <remko at elvandar.org>
Cc: freebsd-gnats-submit at FreeBSD.org
Subject: Re: kern/106438: ipfilter: keep state does not seem to allow replies in on spar64 (and maybe others)
Date: Fri, 8 Dec 2006 09:38:33 +0100

 --d6Gm4EdcadzBjdND
 Content-Type: text/plain; charset=us-ascii
 Content-Disposition: inline
 
 Hello,
 
 I've gathered the information you have asked for, see the attachment.
 I hope it helps us to get an idea of what's going wrong. Any help with
 this would be appreciated.
 
 Thanks in advance.
 
 Manuel
 
 P.S. I did the | grep hme3 in the attachment to not clutter the output
 with irrelevant stuff. All other rules are bound to their respective
 interface (hme0, hme1, hme2, le0) and should not influence hme3.
 Besides, there's a lot of traffic going on on le0 which does not need to
 be mentioned in the ipfstat output because the machine in question is
 headless and can only be reached with a serial line (with a laptop down
 in the cellar) or a dedicated network interface (le0, for which I
 need to have rules that pass everything).
 
 On Thu, Dec 07, 2006 at 10:16:19AM +0100, Remko Lodder wrote:
 > Hello,
 > 
 > 
 > 	First of all thanks for using FreeBSD!
 > 
 > 	If you run ipmon, what kind of details do you see in the log? It mentions where it is blocked and you
 > 	can review that rule with ipfstat -hion (list everything in out, do not resolve and show the amount
 > 	of hits on the rule)
 > 
 > 	Thanks in advance
 > 
 > -- 
 > Kind regards,
 > 
 >      Remko Lodder               ** remko at elvandar.org
 >      FreeBSD                    ** remko at FreeBSD.org
 > 
 >      /* Quis custodiet ipsos custodes */
 > 
 
 -- 
 Homepage: http://www.hinterbergen.de/mala
 OpenPGP: 0xA330353E (DSA) or 0xD87D188C (RSA)
 
 --d6Gm4EdcadzBjdND
 Content-Type: text/plain; charset=us-ascii
 Content-Disposition: attachment; filename="moo.txt"
 
 192.168.x.x	FreeBSD machine having the problem
 192.168.x.y	dsl router running a caching dns server
 		(works fine without the firewall on the FreeBSD box, I use
 		this one for testing because I know its IP address by heart)
 
 none of these two addresses are equal to the broadcast or network address
 (I mention this here just to make sure you don't think I did something like this...)
 
 router# ipfstat -hion | grep hme3; echo; ipmon -Fva
 0 @14 pass out quick on hme3 proto tcp from 192.168.x.x/32 to any port = domain flags S/FSRPAU keep state
 602 @15 pass out quick on hme3 proto udp from any to any port = domain keep state
 45115 @16 block out log first on hme3 all
 31242 @33 block in log first on hme3 all
 
 0 bytes flushed from log buffer
 0 bytes flushed from log buffer
 352 bytes flushed from log buffer
 
 [ ran two dig commands on other console, look for STATE: NEW ]
 
 08/12/2006 07:20:05.509612 STATE:NEW 192.168.x.x,58286 -> 192.168.y.y,53 PR udp
 08/12/2006 07:20:10.264314 hme3 @0:33 b 192.168.y.y,3670 -> 192.168.x.x,123 PR udp len 20 76 IN bad
 08/12/2006 07:20:10.499382 hme3 @0:33 b 192.168.y.y,514 -> 192.168.x.x,514 PR udp len 20 128 IN bad
 08/12/2006 07:20:11.264285 hme3 @0:33 b 192.168.y.y,3670 -> 192.168.x.x,123 PR udp len 20 76 IN bad
 08/12/2006 07:20:15.264215 hme3 @0:33 b 192.168.y.y,3671 -> 192.168.x.x,123 PR udp len 20 76 IN bad
 08/12/2006 07:20:15.500616 hme3 @0:33 b 192.168.y.y,53 -> 192.168.x.x,58286 PR udp len 20 80 IN bad
 08/12/2006 07:20:16.264197 hme3 @0:33 b 192.168.y.y,3671 -> 192.168.x.x,123 PR udp len 20 76 IN bad
 08/12/2006 07:20:20.304953 2x hme3 @0:33 b 192.168.y.y,514 -> 192.168.x.x,514 PR udp len 20 132 IN bad
 08/12/2006 07:20:30.304837 2x hme3 @0:33 b 192.168.y.y,514 -> 192.168.x.x,514 PR udp len 20 132 IN bad
 08/12/2006 07:20:40.304459 hme3 @0:33 b 192.168.y.y,3672 -> 192.168.x.x,123 PR udp len 20 76 IN bad
 08/12/2006 07:20:41.087241 hme3 @0:33 b 192.168.y.y,53 -> 192.168.x.x,58673 PR udp len 20 80 IN bad
 08/12/2006 07:20:41.304457 hme3 @0:33 b 192.168.y.y,3672 -> 192.168.x.x,123 PR udp len 20 76 IN bad
 08/12/2006 07:20:41.086611 STATE:NEW 192.168.x.x,58673 -> 192.168.y.y,53 PR udp
 08/12/2006 07:20:46.088779 hme3 @0:33 b 192.168.y.y,53 -> 192.168.x.x,58673 PR udp len 20 80 IN bad
 08/12/2006 07:20:46.304633 2x hme3 @0:33 b 192.168.y.y,514 -> 192.168.x.x,514 PR udp len 20 132 IN bad
 08/12/2006 07:20:51.090349 hme3 @0:33 b 192.168.y.y,53 -> 192.168.x.x,58673 PR udp len 20 80 IN bad
 08/12/2006 07:20:56.304463 2x hme3 @0:33 b 192.168.y.y,514 -> 192.168.x.x,514 PR udp len 20 132 IN bad
 08/12/2006 07:21:06.304335 2x hme3 @0:33 b 192.168.y.y,514 -> 192.168.x.x,514 PR udp len 20 132 IN bad
 ^C
 router# ipfstat -hion | grep hme3
 0 @14 pass out quick on hme3 proto tcp from 192.168.x.x/32 to any port = domain flags S/FSRPAU keep state
 604 @15 pass out quick on hme3 proto udp from any to any port = domain keep state
 45115 @16 block out log first on hme3 all
 31297 @33 block in log first on hme3 all
 router#
 
 --d6Gm4EdcadzBjdND--

More information about the freebsd-bugs mailing list