From owner-freebsd-net@FreeBSD.ORG  Thu Apr 17 00:20:29 2003
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
Delivered-To: freebsd-net@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id A582B37B401
	for <freebsd-net@freebsd.org>; Thu, 17 Apr 2003 00:20:29 -0700 (PDT)
Received: from mailout.informatik.tu-muenchen.de
	(mailout.informatik.tu-muenchen.de [131.159.0.5])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 9B30B43FBD
	for <freebsd-net@freebsd.org>; Thu, 17 Apr 2003 00:20:28 -0700 (PDT)
	(envelope-from langd@informatik.tu-muenchen.de)
Received: from mailrelay1.informatik.tu-muenchen.de
	(mailrelay1.informatik.tu-muenchen.de [131.159.254.5])9BA3C622E
	for <freebsd-net@freebsd.org>; Thu, 17 Apr 2003 09:20:27 +0200 (MEST)
Received: from atrbg11.informatik.tu-muenchen.de
	(atrbg11.informatik.tu-muenchen.de [131.159.42.129])8E0B07943
	for <freebsd-net@freebsd.org>; Thu, 17 Apr 2003 09:20:27 +0200 (MEST)
Received: by atrbg11.informatik.tu-muenchen.de (Postfix, from userid 20455)
	id 6437413B5D; Thu, 17 Apr 2003 09:20:27 +0200 (CEST)
Date: Thu, 17 Apr 2003 09:20:27 +0200
From: Daniel Lang <dl@leo.org>
To: freebsd-net@freebsd.org
Message-ID: <20030417072027.GA38782@atrbg11.informatik.tu-muenchen.de>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
X-Geek: GCS/CC d-- s: a- C++$ UBS++++$ P+++$ L- E-(---) W+++(--) N++ o K w---
	O? M? V? PS+(++) PE--(+) Y+ PGP+ t++ 5+++ X R+(-) tv+ b+ DI++ D++ G++ e+++
	h---(-) r++>+++ y+
User-Agent: Mutt/1.5.1i
Subject: IPfilter changes?
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 17 Apr 2003 07:20:29 -0000

Hi folks,

I've noticed some change of behaviour with IPFilter
in my 4.8-RC2 system after the upgrade. It seems that
a more recent version of ipfilter was imported then,
so maybe something may have changed indeed. 

I have a pretty tight filter setup, but I make use of keep state
rules for outgoing packets. Thus, I have the following
rule in my set:

@2200 pass out quick proto tcp/udp from any to any keep frags keep state

This worked in the past for tcp and also for udp connections, like
DNS requests. It still works for TCP, but no longer for DNS.
The packets are no longer allowed through.

Maybe it was never intended to work for UDP? Or maybe the state
timings have changed? 

Of course I can just open UDP to our name server machine. 
But I was wondering, if the new behaviour is intended or maybe a bug,
or my setup ever just worked by chance. ;)

Thanks,
 Daniel
-- 
IRCnet: Mr-Spock                    - All your .sigs are belong to us -
 Daniel Lang * dl@leo.org * +49 89 289 18532 * http://www.leo.org/~dl/