Date: Fri, 8 Apr 2005 18:20:07 GMT From: Spartak Radchenko <spartak@aif.ru> To: freebsd-bugs@FreeBSD.org Subject: Re: kern/79416: ipf in 4.11 breaks POLA Message-ID: <200504081820.j38IK73J051391@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
The following reply was made to PR kern/79416; it has been noted by GNATS. From: Spartak Radchenko <spartak@aif.ru> To: freebsd-gnats-submit@FreeBSD.org, devteam@donut.ugcs.caltech.edu Cc: Subject: Re: kern/79416: ipf in 4.11 breaks POLA Date: Fri, 08 Apr 2005 22:14:25 +0400 BTW, UDP is also affected. Here is my test ruleset for traceroute: block in log all pass in quick proto udp from any to any port 33434 >< 33690 pass out proto icmp from any to any keep state Host with this ruleset can be tracerouted from outside in 4.8, 4.9. 4.10. But not in 4.11. Counter for last rule is incremented for each outbound icmp unreach, however. Is it a bug or not? I am not sure. And this ruleset works in 4.11: block in log all pass in quick proto udp from any to any port 33434 >< 33690 pass out quick proto icmp from any to any icmp-type unreach pass out proto icmp from any to any keep state -- Spartak Radchenko SVR1-RIPE
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200504081820.j38IK73J051391>