From owner-freebsd-bugs Sat Feb 3 12:40:22 2001 Delivered-To: freebsd-bugs@hub.freebsd.org Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id 0E6DF37B65D for ; Sat, 3 Feb 2001 12:40:03 -0800 (PST) Received: (from gnats@localhost) by freefall.freebsd.org (8.11.1/8.11.1) id f13Ke3g93753; Sat, 3 Feb 2001 12:40:03 -0800 (PST) (envelope-from gnats) Received: from linux.intcon.net (linux.intcon.net [206.230.48.2]) by hub.freebsd.org (Postfix) with ESMTP id 8F95737B503 for ; Sat, 3 Feb 2001 12:37:41 -0800 (PST) Received: from portal.megahack.com (portal.megahack.com [206.230.54.106]) by linux.intcon.net (8.11.0/8.11.0) with ESMTP id f13KbdZ10064 for ; Sat, 3 Feb 2001 14:37:39 -0600 Received: (from steve@localhost) by portal.megahack.com (8.11.2/8.11.2) id f13KbbK02047; Sat, 3 Feb 2001 14:37:37 -0600 (CST) (envelope-from steve) Message-Id: <200102032037.f13KbbK02047@portal.megahack.com> Date: Sat, 3 Feb 2001 14:37:37 -0600 (CST) From: steve@megahack.com Reply-To: steve@megahack.com To: FreeBSD-gnats-submit@freebsd.org X-Send-Pr-Version: 3.2 Subject: misc/24833: ipfw check-state broken Sender: owner-freebsd-bugs@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >Number: 24833 >Category: misc >Synopsis: after cvsup + rebuild, ipfw "check-state" does not work >Confidential: no >Severity: non-critical >Priority: medium >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Sat Feb 03 12:40:02 PST 2001 >Closed-Date: >Last-Modified: >Originator: Steven Farmer >Release: FreeBSD 4.2-STABLE i386 >Organization: you kidding? >Environment: >Description: After cvsup, make buildworld/buildkernel/installkernel/installworld on 3 Feb 2001, ipfw "check-state" keyword appears to do nothing. The relevant lines from my firewall rules file: add check-state add deny tcp from any to any established add pass tcp from 10.0.0.0/8 to any setup keep-state add pass udp from 10.0.0.0/8 to any 53,123 keep-state add pass icmp from 10.0.0.0/8 to any icmptype 8 keep-state Now the "deny tcp from any to any established" rule blocks all tcp packets, even those associated with the "keep-state" rules. >How-To-Repeat: cvsup and rebuild, use ipfw rules similar to those above. >Fix: Temporarily move the "deny tcp from any to any established rule" *after* the "keep-state" rules. >Release-Note: >Audit-Trail: >Unformatted: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message