From owner-freebsd-bugs@FreeBSD.ORG Thu Dec 7 09:20:14 2006 Return-Path: X-Original-To: freebsd-bugs@hub.freebsd.org Delivered-To: freebsd-bugs@hub.freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id C092816A40F for ; Thu, 7 Dec 2006 09:20:14 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [69.147.83.40]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7259743CBD for ; Thu, 7 Dec 2006 09:19:22 +0000 (GMT) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id kB79KCg9022603 for ; Thu, 7 Dec 2006 09:20:12 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.13.4/8.13.4/Submit) id kB79KCqT022602; Thu, 7 Dec 2006 09:20:12 GMT (envelope-from gnats) Date: Thu, 7 Dec 2006 09:20:12 GMT Message-Id: <200612070920.kB79KCqT022602@freefall.freebsd.org> To: freebsd-bugs@FreeBSD.org From: Remko Lodder Cc: Subject: Re: kern/106438: ipfilter: keep state does not seem to allow replies in on spar64 (and maybe others) X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Remko Lodder List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 07 Dec 2006 09:20:14 -0000 The following reply was made to PR kern/106438; it has been noted by GNATS. From: Remko Lodder To: Manuel Schiller Cc: freebsd-gnats-submit@FreeBSD.org Subject: Re: kern/106438: ipfilter: keep state does not seem to allow replies in on spar64 (and maybe others) Date: Thu, 7 Dec 2006 10:16:19 +0100 Hello, > My ipf.rules has the following lines for the outgoing network interface (I stripped things down to make sure I understand what's happening): > > pass out quick on hme3 proto tcp from 192.168.x.x to any port = domain flags S keep state > pass out quick on hme3 proto udp from 192.168.x.x to any port = domain keep state > block out quick on hme3 > > block in quick on hme3 > > On the old machine (a pentium box) running FreeBSD 5.5, this would allow out DNS queries, e.g. > > dig @192.168.x.y www.freebsd.org > > would work as expected. Now, I can use tcpdump -ni hme3 to look at the packets going out, and I can see the replies coming back, but the replies get blocked by the block rule for the inbound section. Strangely enough, ipfstat -t lists the udp connection, so I assume that the kernel intends to let the replies pass, but somehow it does not seem to do so. > > I tested things by cvsupping to RELENG6_1 and later STABLE during this week, recompiled things using > First of all thanks for using FreeBSD! If you run ipmon, what kind of details do you see in the log? It mentions where it is blocked and you can review that rule with ipfstat -hion (list everything in out, do not resolve and show the amount of hits on the rule) Thanks in advance -- Kind regards, Remko Lodder ** remko@elvandar.org FreeBSD ** remko@FreeBSD.org /* Quis custodiet ipsos custodes */