Date: Sat, 9 Apr 2005 04:02:39 +0300 From: Giorgos Keramidas <keramida@freebsd.org> To: Spartak Radchenko <spartak@aif.ru>, freebsd-bugs@freebsd.org Cc: bug-followup@freebsd.org Subject: Re: kern/79416: ipf in 4.11 breaks POLA Message-ID: <20050409010238.GA19719@gothmog.gr> In-Reply-To: <200504081800.j38I0K6p046620@freefall.freebsd.org> References: <200504081800.j38I0K6p046620@freefall.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On 2005-04-08 18:00, Spartak Radchenko <spartak@aif.ru> wrote:
> This ruleset worked OK in 4.8, 4.9, 4.10 (all outbound tcp
> connections, incoming connections on port 80):
>
> block in log all
> pass in quick proto tcp from any to any port = 80
> pass out proto tcp from any to any keep state
>
> Yes, I know that such ruleset is not recommended in ipfilter how-to,
> but it worked anyway.
The correct way to do the same thing is:
block in log all
pass in quick proto tcp from any to any port = 80 keep state
pass out proto tcp from any to any keep state
You're missing a "keep state" in the incoming rule.
> And I think that "not recommended" doesn't mean "strictly prohibited".
IMHO, it does mean "not guaranteed to work" though ;-)
> In 4.11 incoming connections to port 80 do not work any more. The
> ruleset must be modified:
>
> block in log all
> pass in quick proto tcp from any to any port = 80
> pass out quick proto tcp from any port = 80 to any
> pass out proto tcp from any to any keep state
This is still wrong.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20050409010238.GA19719>