Date: Fri, 8 Apr 2005 18:00:20 GMT From: Spartak Radchenko <spartak@aif.ru> To: freebsd-bugs@FreeBSD.org Subject: Re: kern/79416: ipf in 4.11 breaks POLA Message-ID: <200504081800.j38I0K6p046620@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
The following reply was made to PR kern/79416; it has been noted by GNATS. From: Spartak Radchenko <spartak@aif.ru> To: freebsd-gnats-submit@FreeBSD.org, devteam@donut.ugcs.caltech.edu Cc: Subject: Re: kern/79416: ipf in 4.11 breaks POLA Date: Fri, 08 Apr 2005 21:58:19 +0400 The same applies to tcp rules. This ruleset worked OK in 4.8, 4.9, 4.10 (all outbound tcp connections, incoming connections on port 80): block in log all pass in quick proto tcp from any to any port = 80 pass out proto tcp from any to any keep state Yes, I know that such ruleset is not recommended in ipfilter how-to, but it worked anyway. And I think that "not recommended" doesn't mean "strictly prohibited". In 4.11 incoming connections to port 80 do not work any more. The ruleset must be modified: block in log all pass in quick proto tcp from any to any port = 80 pass out quick proto tcp from any port = 80 to any pass out proto tcp from any to any keep state -- Spartak Radchenko SVR1-RIPE
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200504081800.j38I0K6p046620>