Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 05 Mar 2019 19:26:29 +0000
From:      bugzilla-noreply@freebsd.org
To:        bugs@FreeBSD.org
Subject:   [Bug 236292] sbin/ipfw doesn't allow returning packets with limit-source address
Message-ID:  <bug-236292-227@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help 
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D236292

            Bug ID: 236292
           Summary: sbin/ipfw doesn't allow returning packets with
                    limit-source address
           Product: Base System
           Version: 12.0-STABLE
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Only Me
          Priority: ---
         Component: bin
          Assignee: bugs@FreeBSD.org
          Reporter: driesm.michiels@gmail.com

Hi,

After upgrading from source from r343710 to r344737 the behavior of
limit-source address changed.

I have rules like this (which skip after my ipv4 NAT rule where a accept all
rule is):

skipto 10000 ip4 from any to me 443 in recv em0 proto tcp limit src-addr 10

Altough after my upgrade, these packets don't get allowed out.
When I change the rule to the below one it works just fine.

skipto 10000 ip4 from any to me 443 in recv em0 proto tcp keep-state


I see the dynamic rule getting installed with LIMIT:
[/usr/src]$ sudo ipfw show -d |grep LIMIT
00000        2         120 (19s) LIMIT tcp 109.140.18.212 10087 <->
141.135.72.71 443 :default
00000        3         180 (299s) LIMIT tcp 109.140.18.212 10087 <->
141.135.72.71 443 :default
00000        3         180 (296s) LIMIT tcp 109.140.18.212 10087 <->
141.135.72.71 443 :default

Although I see the returning packets getting denied:
Mar  5 20:23:13 vados kernel: ipfw: 9999 Deny TCP 141.135.72.71:443
109.140.18.212:10087 out via em0
Mar  5 20:23:16 vados kernel: ipfw: 9999 Deny TCP 141.135.72.71:443
109.140.18.212:10087 out via em0
Mar  5 20:23:19 vados kernel: ipfw: 9999 Deny TCP 141.135.72.71:443
109.140.18.212:10087 out via em0
Mar  5 20:23:22 vados kernel: ipfw: 9999 Deny TCP 141.135.72.71:443
109.140.18.212:10087 out via em0

Can somebody help me out with this? Did the behavior of limit source address
change?

--=20
You are receiving this mail because:
You are the assignee for the bug.=

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-236292-227>