From owner-freebsd-security Thu Nov 29 21:13:14 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.gmx.net (mail.gmx.net [213.165.64.20]) by hub.freebsd.org (Postfix) with SMTP id 68E2537B41A for ; Thu, 29 Nov 2001 21:13:06 -0800 (PST) Received: (qmail 28286 invoked by uid 0); 30 Nov 2001 05:13:04 -0000 Received: from p3ee20a89.dip.t-dialin.net (HELO mail.gsinet.sittig.org) (62.226.10.137) by mail.gmx.net (mp011-rz3) with SMTP; 30 Nov 2001 05:13:04 -0000 Received: (qmail 56988 invoked from network); 30 Nov 2001 02:42:42 -0000 Received: from shell.gsinet.sittig.org (192.168.11.153) by mail.gsinet.sittig.org with SMTP; 30 Nov 2001 02:42:42 -0000 Received: (from sittig@localhost) by shell.gsinet.sittig.org (8.11.3/8.11.3) id fATJ4hF48883 for freebsd-security@freebsd.org; Thu, 29 Nov 2001 20:04:43 +0100 (CET) (envelope-from sittig) Date: Thu, 29 Nov 2001 20:04:43 +0100 From: Gerhard Sittig To: freebsd-security@freebsd.org Subject: Re: ipf return-rst Message-ID: <20011129200441.D21918@shell.gsinet.sittig.org> Mail-Followup-To: freebsd-security@freebsd.org References: <3C056986.163131B9@centtech.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <3C056986.163131B9@centtech.com>; from anderson@centtech.com on Wed, Nov 28, 2001 at 04:47:34PM -0600 Organization: System Defenestrators Inc. Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Wed, Nov 28, 2001 at 16:47 -0600, Eric Anderson wrote: > > I'm trying to figure out why my return-rst lines aren't > working. Here's a sample of a line: > block return-rst in quick on xl0 proto tcp from any to > my.ext.ip/32 port = 23 flags S/SA Is your my.ext.ip static? If it isn't, I suggest using 0.0.0.0/32 as the IP spec and invocing "ipf -y" in your linkup script. Are you the only filter in the path? Have you tried this locally in a network completely under your control? Check it with the lo0 interface and your internal NIC first to make sure. > Both block the connection, but timeout instead of giving the > "Connection refused" line. Is this some kind of application retry? Did you use something like netcat as a frontend and did you check by running tcpdump? virtually yours 82D1 9B9C 01DC 4FB4 D7B4 61BE 3F49 4F77 72DE DA76 Gerhard Sittig true | mail -s "get gpg key" Gerhard.Sittig@gmx.net -- If you don't understand or are scared by any of the above ask your parents or an adult to help you. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message