From owner-freebsd-net@FreeBSD.ORG Tue Apr 22 02:34:24 2003 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 41B9937B401 for ; Tue, 22 Apr 2003 02:34:24 -0700 (PDT) Received: from mailout.informatik.tu-muenchen.de (mailout.informatik.tu-muenchen.de [131.159.0.5]) by mx1.FreeBSD.org (Postfix) with ESMTP id 67F9643F75 for ; Tue, 22 Apr 2003 02:34:23 -0700 (PDT) (envelope-from langd@informatik.tu-muenchen.de) Received: from mailrelay1.informatik.tu-muenchen.de (mailrelay1.informatik.tu-muenchen.de [131.159.254.5]) by mailout.informatik.tu-muenchen.de (Postfix) with ESMTP id BCF4462F4; Tue, 22 Apr 2003 11:34:22 +0200 (MEST) Received: from atrbg11.informatik.tu-muenchen.de (atrbg11.informatik.tu-muenchen.de [131.159.42.129]) by mailrelay1.informatik.tu-muenchen.de (Postfix) with ESMTP id AF10A7943; Tue, 22 Apr 2003 11:34:22 +0200 (MEST) Received: by atrbg11.informatik.tu-muenchen.de (Postfix, from userid 20455) id 81D6513B5D; Tue, 22 Apr 2003 11:34:22 +0200 (CEST) Date: Tue, 22 Apr 2003 11:34:22 +0200 From: Daniel Lang To: Martin Stiemerling Message-ID: <20030422093422.GE49848@atrbg11.informatik.tu-muenchen.de> References: <20030417072027.GA38782@atrbg11.informatik.tu-muenchen.de> <3E9E6D34.5020100@ccrle.nec.de> <20030422083532.GB49848@atrbg11.informatik.tu-muenchen.de> <3EA508EB.5020906@ccrle.nec.de> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <3EA508EB.5020906@ccrle.nec.de> X-Geek: GCS/CC d-- s: a- C++$ UBS++++$ P+++$ L- E-(---) W+++(--) N++ o K w--- O? M? V? PS+(++) PE--(+) Y+ PGP+ t++ 5+++ X R+(-) tv+ b+ DI++ D++ G++ e+++ h---(-) r++>+++ y+ User-Agent: Mutt/1.5.1i cc: freebsd-net@freebsd.org Subject: Re: IPfilter changes? X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 22 Apr 2003 09:34:24 -0000 Hi Martin, thanks for your quick reply, Martin Stiemerling wrote on Tue, Apr 22, 2003 at 11:18:35AM +0200: [..] > the stuff below looks ok so far, i.e. it should work. > Perhaps you can check with 'ipfstat -hio' (it shows the hit counts per > rule) where the intial TCP packet from your host 131.159.72.12 is > matched against a rule, especially this rule: > > pass in quick from 131.159.72.12/32 to any No this rule is not hit, but I did not expect it. This rule just exists if the host connects to itself but not using the loopback address. The initial packet from my ssh test will of course be an _outgoing_ packet and therefore is not expect to hit an 'in' rule. However, ... > If this doesn't help try to replace the state rule with this and check > whether this rule has been hit at all. > > pass out quick proto tcp/udp from any to any keep state keep frags This rule is hit quite often. > NEW > pass out quick proto tcp from any to any flags S keep state keep frags Ok. I will try to change this rule and see, if it helps. YES. If I put this rule in front of the rule above, I immediately get a connection. What does that mean? The original rule of mine should be more general, i.e. include the situation with the SYN flag set. But it doesn't? Using this rule is a better workaround than to allow all hosts explicitly, but it still doesn't help me with UDP I guess. > IP Filter has neither changed rule processing nor a new keyword. Thanks. I was going to say "it worked before" and "I did not change anything else", but from my long experience with (l)users, this is _always_ a lie. ;-)) Best regards, Daniel -- IRCnet: Mr-Spock - Truth lies in the eye of the beholder - Daniel Lang * dl@leo.org * +49 89 289 18532 * http://www.leo.org/~dl/