Date: Mon, 9 Aug 2010 13:53:09 +0100 From: Anton Shterenlikht <mexas@bristol.ac.uk> To: Eugenijus Urbonas <eugenijusu@inbox.lv> Cc: freebsd-questions@freebsd.org Subject: Re: ipf filter: froblem with "keep state" or "flags S" parameter Message-ID: <20100809125309.GA82821@mech-cluster241.men.bris.ac.uk> In-Reply-To: <4C5FF2DF.6090102@inbox.lv> References: <4C5FF2DF.6090102@inbox.lv>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, Aug 09, 2010 at 03:21:51PM +0300, Eugenijus Urbonas wrote: > Hello! > Some time ago I already had business with ipf and everything was ok (I > used manual to create rules), server worked perfetcly. > Now I'am trying to setup the same server, but with newer version of > FreeBSD (8.1-RELEASE), the same manuals, the same settings, everything > works except firewall, and there is something strange: > for example, I have rules in my /etc/ipf.rules: > > Code: > > pass out quick on fxp0 all > pass in log quick on fxp0 proto tcp from any to any port = 80 > block in log first quick on fxp0 all > > in this case ipmon shows: > Code: > > ... fxp0 *@0:1 p *xx.xx.xx.xx -> xx.xx.xx.xx,80 PR tcp len ... > > that is OK > > now I change second rule to: > Code: > > pass in log quick on fxp0 proto tcp from any to any port = 80 flags S keep state > > # because I want to use statefull firewall ofcourse > > in this case ipmon shows: > Code: > > ... fxp0 *@0:2 b* xx.xx.xx.xx -> xx.xx.xx.xx,80 PR tcp len ... > > and that is NOT OK > > I don't understand why, but now my connection does not match my rule... > why? can someone explain in to me? what is the output of `ipfstat -in`? -- Anton Shterenlikht Room 2.6, Queen's Building Mech Eng Dept Bristol University University Walk, Bristol BS8 1TR, UK Tel: +44 (0)117 331 5944 Fax: +44 (0)117 929 4423
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20100809125309.GA82821>