[Bug 236292] sbin/ipfw doesn't allow returning packets with limit-source address
bugzilla-noreply at freebsd.org
bugzilla-noreply at freebsd.org
Tue Mar 5 19:26:31 UTC 2019
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=236292
Bug ID: 236292
Summary: sbin/ipfw doesn't allow returning packets with
limit-source address
Product: Base System
Version: 12.0-STABLE
Hardware: Any
OS: Any
Status: New
Severity: Affects Only Me
Priority: ---
Component: bin
Assignee: bugs at FreeBSD.org
Reporter: driesm.michiels at gmail.com
Hi,
After upgrading from source from r343710 to r344737 the behavior of
limit-source address changed.
I have rules like this (which skip after my ipv4 NAT rule where a accept all
rule is):
skipto 10000 ip4 from any to me 443 in recv em0 proto tcp limit src-addr 10
Altough after my upgrade, these packets don't get allowed out.
When I change the rule to the below one it works just fine.
skipto 10000 ip4 from any to me 443 in recv em0 proto tcp keep-state
I see the dynamic rule getting installed with LIMIT:
[/usr/src]$ sudo ipfw show -d |grep LIMIT
00000 2 120 (19s) LIMIT tcp 109.140.18.212 10087 <->
141.135.72.71 443 :default
00000 3 180 (299s) LIMIT tcp 109.140.18.212 10087 <->
141.135.72.71 443 :default
00000 3 180 (296s) LIMIT tcp 109.140.18.212 10087 <->
141.135.72.71 443 :default
Although I see the returning packets getting denied:
Mar 5 20:23:13 vados kernel: ipfw: 9999 Deny TCP 141.135.72.71:443
109.140.18.212:10087 out via em0
Mar 5 20:23:16 vados kernel: ipfw: 9999 Deny TCP 141.135.72.71:443
109.140.18.212:10087 out via em0
Mar 5 20:23:19 vados kernel: ipfw: 9999 Deny TCP 141.135.72.71:443
109.140.18.212:10087 out via em0
Mar 5 20:23:22 vados kernel: ipfw: 9999 Deny TCP 141.135.72.71:443
109.140.18.212:10087 out via em0
Can somebody help me out with this? Did the behavior of limit source address
change?
--
You are receiving this mail because:
You are the assignee for the bug.
More information about the freebsd-bugs
mailing list