Date: Sat, 3 Feb 2001 14:37:37 -0600 (CST) From: steve@megahack.com To: FreeBSD-gnats-submit@freebsd.org Subject: misc/24833: ipfw check-state broken Message-ID: <200102032037.f13KbbK02047@portal.megahack.com>
next in thread | raw e-mail | index | archive | help
>Number: 24833 >Category: misc >Synopsis: after cvsup + rebuild, ipfw "check-state" does not work >Confidential: no >Severity: non-critical >Priority: medium >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Sat Feb 03 12:40:02 PST 2001 >Closed-Date: >Last-Modified: >Originator: Steven Farmer >Release: FreeBSD 4.2-STABLE i386 >Organization: you kidding? >Environment: >Description: After cvsup, make buildworld/buildkernel/installkernel/installworld on 3 Feb 2001, ipfw "check-state" keyword appears to do nothing. The relevant lines from my firewall rules file: add check-state add deny tcp from any to any established add pass tcp from 10.0.0.0/8 to any setup keep-state add pass udp from 10.0.0.0/8 to any 53,123 keep-state add pass icmp from 10.0.0.0/8 to any icmptype 8 keep-state Now the "deny tcp from any to any established" rule blocks all tcp packets, even those associated with the "keep-state" rules. >How-To-Repeat: cvsup and rebuild, use ipfw rules similar to those above. >Fix: Temporarily move the "deny tcp from any to any established rule" *after* the "keep-state" rules. >Release-Note: >Audit-Trail: >Unformatted: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200102032037.f13KbbK02047>