Help with IP Filter 4.1.8

[Giorgos Keramidas]

On 2006-02-27 18:48, Roman Serbski <mefystofel at gmail.com> wrote:
>On 2/27/06, Erik N?rgaard <norgaard at locolomo.org> wrote:
>> Could you change your last rule to this:
>>
>> block in log quick on xl0 all
>>
>> and then tell what you see in the log. This would give some information
>> if any traffic is blocked in the first place. Actually, adding the log
>> keyword to all rules for the xl0 interface might be a good idea for
>> debugging.
>>
>> Also, is this the complete ruleset or did you remove rules you thought
>> were irrelevant? If so, then post the whole ruleset.
>
> Thank you. I removed 'flags' as it was suggested by Giorgos Keramidas
> but it didn't help.
>
> This is not the complete ruleset, I mean there are a lot of other
> rules, but I removed everything to be sure and left only outgoing
> 53/udp, 53/tcp. Once again, I checked this ruleset on 5.3-STABLE with
> ipf v3.4.35 (336) and it worked good.
>
> Adding the 'log' keyword produced the following record:
>
> xl0 @0:2 b XXX.XXX.XXX.XXX,53 -> YYY.YYY.YYY.YYY,60808 PR udp len 20 298 IN bad
>
> where XXX - is IP address of DNS server of ISP, and YYY is the server
> I'm running ipf on. There was a hit on a rule allowing outgoing 53/udp
> and it seems like the response from DNS server was blocked. Outgoing
> port number returned by YYY is always changing - on a second run it
> was 51212.
>
> Of course I can allow incoming connections to ports > 1024, but I
> really would like to understand why it was working with ipf v3.4.35
> and not with v4.1.8.
>
> Once again, thank you all for your help.

It looks like the stateful rule didn't succeed in creating a state for
the outgoing UDP packet:

    pass out quick on lo0 from any to any
    pass out quick on xl0 proto tcp from any to any port = domain flags S/FSRPAU keep state
=>  pass out quick on xl0 proto udp from any to any port = domain keep state
    block out log quick on xl0 all

I'm not sure why this would happen though.