From owner-freebsd-stable Sat Jan 27 8: 0:19 2001 Delivered-To: freebsd-stable@freebsd.org Received: from lunatic.oneinsane.net (lunatic.oneinsane.net [207.113.133.231]) by hub.freebsd.org (Postfix) with ESMTP id D287137B400 for ; Sat, 27 Jan 2001 08:00:00 -0800 (PST) Received: by lunatic.oneinsane.net (Postfix, from userid 1000) id 0082015556; Sat, 27 Jan 2001 07:59:59 -0800 (PST) Date: Sat, 27 Jan 2001 07:59:59 -0800 From: Ron 'The InSaNe One' Rosson To: freebsd-stable@freebsd.org Subject: IPFilter will not allow traceroute anymore Message-ID: <20010127075959.A83055@lunatic.oneinsane.net> Reply-To: Ron Rosson Mail-Followup-To: freebsd-stable@freebsd.org Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i X-Operating-System: FreeBSD lunatic.oneinsane.net 4.2-STABLE X-Moon: The Moon is Waxing Crescent (9% of Full) X-Opinion: What you read here is my IMHO X-WWW: http://www.oneinsane.net X-GPG-FINGERPRINT: 3F11 DB43 F080 C037 96F0 F8D3 5BD2 652B 171C 86DB X-Uptime: 7:52AM up 2 days, 13:58, 2 users, load averages: 1.16, 1.12, 1.08 Sender: owner-freebsd-stable@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On 01/23/2001 there was a change made to IPFilters ip_state.c file. The change for some reason has cuased tracerouting to stop working when using the following ruleset: # Ruleset taken from http://www.obfuscation.org/ipf/ipf-howto.txt # Section 7.1 pass in quick on lo0 all pass out quick on lo0 all block in log all block out all # This allows for AUTH pass in quick proto tcp from any to any port = 113 flags S/SA keep state #This allows for FTP pass in quick proto tcp from any port = 20 to any port 39999 >< 45000 flags S/SA keep state pass out quick proto icmp from any to any keep state pass out quick proto tcp/udp from any to any keep state keep frags The earlier version of this file had the same problem as well but there was a patch available that I have been using. With the changes made to the ip_state.c file this patch no longer applies cleanly. I will attach the patch as an attatchment to this email. If I should turn this into a send-pr Just say the word and it will done. TIA P.S. An admin who misses his traceroute ;-) -- ------------------------------------------------------------------------------ Ron Rosson ... and a UNIX user said ... The InSaNe One rm -rf * insane@oneinsane.net and all was /dev/null and *void() ------------------------------------------------------------------------------ It only rains straight down. God doesn't do windows. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message