Date: Tue, 22 Apr 2003 11:34:22 +0200 From: Daniel Lang <dl@leo.org> To: Martin Stiemerling <Martin.Stiemerling@ccrle.nec.de> Cc: freebsd-net@freebsd.org Subject: Re: IPfilter changes? Message-ID: <20030422093422.GE49848@atrbg11.informatik.tu-muenchen.de> In-Reply-To: <3EA508EB.5020906@ccrle.nec.de> References: <20030417072027.GA38782@atrbg11.informatik.tu-muenchen.de> <3E9E6D34.5020100@ccrle.nec.de> <20030422083532.GB49848@atrbg11.informatik.tu-muenchen.de> <3EA508EB.5020906@ccrle.nec.de>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi Martin, thanks for your quick reply, Martin Stiemerling wrote on Tue, Apr 22, 2003 at 11:18:35AM +0200: [..] > the stuff below looks ok so far, i.e. it should work. > Perhaps you can check with 'ipfstat -hio' (it shows the hit counts per > rule) where the intial TCP packet from your host 131.159.72.12 is > matched against a rule, especially this rule: > > pass in quick from 131.159.72.12/32 to any No this rule is not hit, but I did not expect it. This rule just exists if the host connects to itself but not using the loopback address. The initial packet from my ssh test will of course be an _outgoing_ packet and therefore is not expect to hit an 'in' rule. However, ... > If this doesn't help try to replace the state rule with this and check > whether this rule has been hit at all. > > pass out quick proto tcp/udp from any to any keep state keep frags This rule is hit quite often. > NEW > pass out quick proto tcp from any to any flags S keep state keep frags Ok. I will try to change this rule and see, if it helps. YES. If I put this rule in front of the rule above, I immediately get a connection. What does that mean? The original rule of mine should be more general, i.e. include the situation with the SYN flag set. But it doesn't? Using this rule is a better workaround than to allow all hosts explicitly, but it still doesn't help me with UDP I guess. > IP Filter has neither changed rule processing nor a new keyword. Thanks. I was going to say "it worked before" and "I did not change anything else", but from my long experience with (l)users, this is _always_ a lie. ;-)) Best regards, Daniel -- IRCnet: Mr-Spock - Truth lies in the eye of the beholder - Daniel Lang * dl@leo.org * +49 89 289 18532 * http://www.leo.org/~dl/
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030422093422.GE49848>