From owner-freebsd-bugs@FreeBSD.ORG Thu Dec 7 11:00:50 2006 Return-Path: X-Original-To: freebsd-bugs@hub.freebsd.org Delivered-To: freebsd-bugs@hub.freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 78DA516A415 for ; Thu, 7 Dec 2006 11:00:50 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [69.147.83.40]) by mx1.FreeBSD.org (Postfix) with ESMTP id C913343CEF for ; Thu, 7 Dec 2006 10:59:49 +0000 (GMT) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id kB7B0S0Y032984 for ; Thu, 7 Dec 2006 11:00:28 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.13.4/8.13.4/Submit) id kB7B0SkO032983; Thu, 7 Dec 2006 11:00:28 GMT (envelope-from gnats) Date: Thu, 7 Dec 2006 11:00:28 GMT Message-Id: <200612071100.kB7B0SkO032983@freefall.freebsd.org> To: freebsd-bugs@FreeBSD.org From: Manuel Tobias Schiller Cc: Subject: Re: kern/106438: ipfilter: keep state does not seem to allow replies in on spar64 (and maybe others) X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Manuel Tobias Schiller List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 07 Dec 2006 11:00:50 -0000 The following reply was made to PR kern/106438; it has been noted by GNATS. From: Manuel Tobias Schiller To: Remko Lodder Cc: Subject: Re: kern/106438: ipfilter: keep state does not seem to allow replies in on spar64 (and maybe others) Date: Thu, 7 Dec 2006 11:51:26 +0100 Hello, thanks for the quick reply. On Thu, Dec 07, 2006 at 10:16:19AM +0100, Remko Lodder wrote: > Hello, > > > > My ipf.rules has the following lines for the outgoing network interface (I stripped things down to make sure I understand what's happening): > > > > pass out quick on hme3 proto tcp from 192.168.x.x to any port = domain flags S keep state > > pass out quick on hme3 proto udp from 192.168.x.x to any port = domain keep state > > block out quick on hme3 > > > > block in quick on hme3 > > > > On the old machine (a pentium box) running FreeBSD 5.5, this would allow out DNS queries, e.g. > > > > dig @192.168.x.y www.freebsd.org > > > > would work as expected. Now, I can use tcpdump -ni hme3 to look at the packets going out, and I can see the replies coming back, but the replies get blocked by the block rule for the inbound section. Strangely enough, ipfstat -t lists the udp connection, so I assume that the kernel intends to let the replies pass, but somehow it does not seem to do so. > > > > I tested things by cvsupping to RELENG6_1 and later STABLE during this week, recompiled things using > > > > First of all thanks for using FreeBSD! Thanks for making a fine OS which has not let me down for quite some time. (Had the old machine's hardware not died, I would still be perfectly happy with it ;) In fact, using FreeBSD makes it much less of a pain to set up a decent server/router/firewall than most other OSs that I've seen (if you prefer to know what happens on your machine - if you don't care, most Linux distros are probably ok as well ;). > If you run ipmon, what kind of details do you see in the log? It mentions where it is blocked and you > can review that rule with ipfstat -hion (list everything in out, do not resolve and show the amount > of hits on the rule) I'll do that tonight and let you know what happens. (I've had a look at the output of ipfstat, but I don't remember what ipmon logs right now.). However, from what I remember, the ipfstat shows that the pass rule for udp domain packets triggers and packets out pass, on the way in the block rule in the inbound section triggers and blocks the replies. I only have the three rules I mentioned above on the interface in question. > Thanks in advance What for? I have asked for help. ;) So thanks for providing a start. > -- > Kind regards, > > Remko Lodder ** remko@elvandar.org > FreeBSD ** remko@FreeBSD.org > > /* Quis custodiet ipsos custodes */ > Kind regards, Manuel Schiller -- Homepage: http://www.hinterbergen.de/mala OpenPGP: 0xA330353E (DSA) or 0xD87D188C (RSA)