Date: Thu, 14 Mar 2002 12:24:55 -0500 From: "Dan Langille" <dan@langille.org> To: Chris Johnson <cjohnson@palomine.net> Cc: freebsd-stable@FreeBSD.ORG Subject: Re: ipfilter keep state broken? Message-ID: <20020314172455.BF85B3F0E@bast.unixathome.org> In-Reply-To: <20020314121547.A43195@palomine.net> References: <20020314164723.4E1543F0E@bast.unixathome.org>; from dan@langille.org on Thu, Mar 14, 2002 at 11:47:21AM -0500
next in thread | previous in thread | raw e-mail | index | archive | help
On 14 Mar 2002 at 12:15, Chris Johnson wrote: > On Thu, Mar 14, 2002 at 11:47:21AM -0500, Dan Langille wrote: > > I upgraded my webserver on March 9 from the post 4.5-RELASE stable. Today > > I've been noticing very unusal access issues on the box. For example, I > > could not get to my webserver from one remote box using https. I had to > > change my rules before it would work: > > > > Here is the after and before. I had to replace the keep state with two > > rules (a.c.b.d is the IP address in question): > > > > < pass in quick proto tcp from a.b.c.d/32 to any port = https > > < pass out quick proto tcp from any to a.b.c.d/32 port = https > > --- > > > pass in quick proto tcp from a.b.c.d/32 to any port = https flags S keep state > > Is this a typo? If this is your web server running on a.b.c.d, don't you want: > > pass in quick proto tcp from any to a.b.c.d port = https flags S keep state No, not a typo. That a.b.c.d is the client. https access is tightly restricted. -- Dan Langille The FreeBSD Diary - http://freebsddiary.org/ - practical examples To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020314172455.BF85B3F0E>