From owner-freebsd-questions@FreeBSD.ORG Mon Aug 9 12:53:11 2010 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 6B0EB106566C for ; Mon, 9 Aug 2010 12:53:11 +0000 (UTC) (envelope-from mexas@bristol.ac.uk) Received: from dirg.bris.ac.uk (dirg.bris.ac.uk [137.222.10.102]) by mx1.freebsd.org (Postfix) with ESMTP id 277268FC17 for ; Mon, 9 Aug 2010 12:53:10 +0000 (UTC) Received: from ncsd.bris.ac.uk ([137.222.10.59] helo=ncs.bris.ac.uk) by dirg.bris.ac.uk with esmtp (Exim 4.69) (envelope-from ) id 1OiRqn-0002HE-Pa; Mon, 09 Aug 2010 13:53:09 +0100 Received: from mech-cluster241.men.bris.ac.uk ([137.222.187.241]) by ncs.bris.ac.uk with esmtpsa (TLSv1:AES256-SHA:256) (Exim 4.67) (envelope-from ) id 1OiRqn-0002f5-IG; Mon, 09 Aug 2010 13:53:09 +0100 Received: from mech-cluster241.men.bris.ac.uk (localhost [127.0.0.1]) by mech-cluster241.men.bris.ac.uk (8.14.4/8.14.4) with ESMTP id o79Cr9WM082848; Mon, 9 Aug 2010 13:53:09 +0100 (BST) (envelope-from mexas@bristol.ac.uk) Received: (from mexas@localhost) by mech-cluster241.men.bris.ac.uk (8.14.4/8.14.4/Submit) id o79Cr9mY082847; Mon, 9 Aug 2010 13:53:09 +0100 (BST) (envelope-from mexas@bristol.ac.uk) X-Authentication-Warning: mech-cluster241.men.bris.ac.uk: mexas set sender to mexas@bristol.ac.uk using -f Date: Mon, 9 Aug 2010 13:53:09 +0100 From: Anton Shterenlikht To: Eugenijus Urbonas Message-ID: <20100809125309.GA82821@mech-cluster241.men.bris.ac.uk> References: <4C5FF2DF.6090102@inbox.lv> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <4C5FF2DF.6090102@inbox.lv> User-Agent: Mutt/1.5.20 (2009-06-14) Cc: freebsd-questions@freebsd.org Subject: Re: ipf filter: froblem with "keep state" or "flags S" parameter X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 09 Aug 2010 12:53:11 -0000 On Mon, Aug 09, 2010 at 03:21:51PM +0300, Eugenijus Urbonas wrote: > Hello! > Some time ago I already had business with ipf and everything was ok (I > used manual to create rules), server worked perfetcly. > Now I'am trying to setup the same server, but with newer version of > FreeBSD (8.1-RELEASE), the same manuals, the same settings, everything > works except firewall, and there is something strange: > for example, I have rules in my /etc/ipf.rules: > > Code: > > pass out quick on fxp0 all > pass in log quick on fxp0 proto tcp from any to any port = 80 > block in log first quick on fxp0 all > > in this case ipmon shows: > Code: > > ... fxp0 *@0:1 p *xx.xx.xx.xx -> xx.xx.xx.xx,80 PR tcp len ... > > that is OK > > now I change second rule to: > Code: > > pass in log quick on fxp0 proto tcp from any to any port = 80 flags S keep state > > # because I want to use statefull firewall ofcourse > > in this case ipmon shows: > Code: > > ... fxp0 *@0:2 b* xx.xx.xx.xx -> xx.xx.xx.xx,80 PR tcp len ... > > and that is NOT OK > > I don't understand why, but now my connection does not match my rule... > why? can someone explain in to me? what is the output of `ipfstat -in`? -- Anton Shterenlikht Room 2.6, Queen's Building Mech Eng Dept Bristol University University Walk, Bristol BS8 1TR, UK Tel: +44 (0)117 331 5944 Fax: +44 (0)117 929 4423