Date: Mon, 7 Dec 2009 01:40:04 GMT From: Mark Abene <phiber@phiber.com> To: freebsd-net@FreeBSD.org Subject: Re: kern/106438: [ipf] ipfilter: keep state does not seem to allow replies in on spar64 (and maybe others) Message-ID: <200912070140.nB71e4Kw039201@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
The following reply was made to PR kern/106438; it has been noted by GNATS. From: Mark Abene <phiber@phiber.com> To: bug-followup@FreeBSD.org, mala@hinterbergen.de Cc: Subject: Re: kern/106438: [ipf] ipfilter: keep state does not seem to allow replies in on spar64 (and maybe others) Date: Sun, 06 Dec 2009 20:26:25 -0500 It's been several years since this was first reported, and I can confirm that it's still a problem in FreeBSD 8.0-RELEASE on i386 with an fxp interface. I just wasted nearly two days trying to figure out why our ipfilter rules which have been in use for years on our firewall suddenly locked the machine out when we upgraded from a rather old version of FreeBSD to 8.0-RELEASE. Same exact problem, same exact symptoms. Disabling checksumming on the interface resolved the problem completely, otherwise ipfilter was rather broken. I'm really glad I found this bug report, though not soon enough. This is a rather serious problem. -Mark
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200912070140.nB71e4Kw039201>