bin/98978: ipfilter drops OOW packets under 6.1-Release
Nicholas von Waltsleben
nicv at korbitec.com
Thu Jun 15 11:30:26 UTC 2006
>Number: 98978
>Category: bin
>Synopsis: ipfilter drops OOW packets under 6.1-Release
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Thu Jun 15 11:30:16 GMT 2006
>Closed-Date:
>Last-Modified:
>Originator: Nicholas von Waltsleben
>Release: 6.1
>Organization:
Korbitec
>Environment:
FreeBSD 6.1-RELEASE-p1 FreeBSD 6.1-RELEASE-p1 #0: Wed Jun 14 09:24:56 SAST 2006 root@:/usr/obj/usr/src/sys/CUSTOM i386
>Description:
ipfilter blocks OOW packets even though a connection has been established with a keep state rule.
ipfstat -ni
@17 pass in quick on em0 proto tcp from any to 196.7.156.157/32 port = http flags S/FSRPAU keep state group 1
ipmon -oI
14/06/2006 16:17:36.157851 em0 @1:20 b 192.96.88.227,1904 -> 196.7.156.157,80 PR tcp len 20 44 -S IN OOW
>How-To-Repeat:
>Fix:
Don't make stateful rules. ie
pass in quick on fxp0 proto tcp from any to 10.10.10.10 port = 80
..
..
pass out quick on fxp0 proto tcp from 10.10.10.10 port = 80 to any
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-bugs
mailing list