Date: Thu, 3 Apr 2008 16:39:54 +0200 (CEST) From: Erik Norgaard <norgaard@math.ku.dk> To: questions@freebsd.org Subject: Re: packet filter does not keep state Message-ID: <alpine.LSU.1.00.0804031632020.13782@shannon.math.ku.dk> In-Reply-To: <alpine.LSU.1.00.0804021600290.1425@shannon.math.ku.dk> References: <alpine.LSU.1.00.0804021600290.1425@shannon.math.ku.dk>
next in thread | previous in thread | raw e-mail | index | archive | help
I have investigated further:
The state table adds this entry:
all tcp 192.168.0.254:80 <- 172.17.1.254:50186
CLOSED:SYN_SENT
Which I suppose reflect the fact that the packet is blocked - I
don't know how to capture the state table after the packet is
passed on the way in, but before it is blocked on the way out.
Regarding the bad header, it is interesting, that the header is
fine on the way in! I had "scrub in all" which I changed to "scrub
all", but no difference.
Have I found a bug? I'm running
FreeBSD 7.0-STABLE #0: Fri Feb 29 19:44:34 CET 2008 - custom
kernel
As for NAT, there should be no problem, NAT is not applied since I
am connecting between directly connected local networks. I have no
problem accessing the Internet where NAT is applied btw (packets
are passed by different rules on the way in, and NAT is applied
after the out-rules above anyway). Anyway, FYI: This is my NAT
rule:
nat on $srv_if from $wlan_net to !<local_net> -> $srv_if
Regarding the "quick" Vinicius: There is no point in removing that
rule: First, as you see the pass in rules also have "quick" and
take effect before as the log shows.
On the out rules: Since I have keep state in the "in" rule a
state should be created by the in rule it should not be filtered
by any out rules. Yet this does not happen.
As I mention in the OP I can add a rule for out, but this is not
how it's supposed to work.
Thanks, Erik
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?alpine.LSU.1.00.0804031632020.13782>