From owner-freebsd-questions  Mon Apr 30  2:23:27 2001
Delivered-To: freebsd-questions@freebsd.org
Received: from web14105.mail.yahoo.com (web14105.mail.yahoo.com [216.136.172.135])
	by hub.freebsd.org (Postfix) with SMTP id 461EF37B424
	for <freebsd-questions@freebsd.org>; Mon, 30 Apr 2001 02:23:22 -0700 (PDT)
	(envelope-from cguttesen@yahoo.dk)
Message-ID: <20010430092322.73754.qmail@web14105.mail.yahoo.com>
Received: from [144.193.50.217] by web14105.mail.yahoo.com; Mon, 30 Apr 2001 11:23:22 CEST
Date: Mon, 30 Apr 2001 11:23:22 +0200 (CEST)
From: =?iso-8859-1?q?Claus=20Guttesen?= <cguttesen@yahoo.dk>
Subject: ipfilter and sync/sync-aknowledge doesn't seem to work
To: freebsd-questions@freebsd.org
MIME-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: 8bit
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

Hi.

I've setup ipfilter, and got it working OK. The syntax
is pretty straigforward.

But I'm having problems with the flags S/SA on inbound
rules. I took the example shown on
http://www.openbsd.org/faq/faq6.html#6.2 and used that
as a template.

Ipfilter starts without problem, but I can't get a
connection up and running with the flags enabled.
/etc/ipf.rules contains these rules (not all rules
shown, ssh-from ip-range changed)

# only allow our machines to connect via ssh
pass in quick on fxp0 proto tcp from a.b.c.d/26 to any
port = 22

# allow others to use http and https
pass in quick on fxp0 proto tcp from any to any port =
80
pass in quick on fxp0 proto tcp from any to any port =
443 flags S/SA

# finally lock the rest down with a default deny
block in quick on fxp0 from any to any

# and let out-going traffic out and maintain state on
established connections
#    to cover all three protocols (tcp, udp, icmp).
pass out quick on fxp0 proto tcp from any to any      
 keep state
pass out quick on fxp0 proto udp from any to any      
         keep state
pass out quick on fxp0 proto icmp from any to any     
         keep state

The thing is that when S/SA is enabled on http and
ssh, I don't get through. When the S/SA-flags are
removed and I restart ipfilter with 'ipf -Fa -f
/etc/ipf.rules' it works.

The documentation on openbsd.org states that the last
rule wins, unless the quick-option is used. It also
says that the flags S/SA can be used to inititate a
connection, and then the state comes in (established
connections). I may be missing something.

I'm running FreeBSD 4.3 stable om a Compaq Armada
M700.

regards
Claus Guttesen

______________________________________________________
Do You Yahoo!?
Få en gratis @yahoo.dk-adresse på http://mail.yahoo.dk

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message