Date: Thu, 17 Apr 2003 09:20:27 +0200 From: Daniel Lang <dl@leo.org> To: freebsd-net@freebsd.org Subject: IPfilter changes? Message-ID: <20030417072027.GA38782@atrbg11.informatik.tu-muenchen.de>
next in thread | raw e-mail | index | archive | help
Hi folks, I've noticed some change of behaviour with IPFilter in my 4.8-RC2 system after the upgrade. It seems that a more recent version of ipfilter was imported then, so maybe something may have changed indeed. I have a pretty tight filter setup, but I make use of keep state rules for outgoing packets. Thus, I have the following rule in my set: @2200 pass out quick proto tcp/udp from any to any keep frags keep state This worked in the past for tcp and also for udp connections, like DNS requests. It still works for TCP, but no longer for DNS. The packets are no longer allowed through. Maybe it was never intended to work for UDP? Or maybe the state timings have changed? Of course I can just open UDP to our name server machine. But I was wondering, if the new behaviour is intended or maybe a bug, or my setup ever just worked by chance. ;) Thanks, Daniel -- IRCnet: Mr-Spock - All your .sigs are belong to us - Daniel Lang * dl@leo.org * +49 89 289 18532 * http://www.leo.org/~dl/
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030417072027.GA38782>