kern/106438: [ipf] ipfilter: keep state does not seem to allow
replies in on spar64 (and maybe others)
Mark Abene
phiber at phiber.com
Mon Dec 7 01:40:04 UTC 2009
The following reply was made to PR kern/106438; it has been noted by GNATS.
From: Mark Abene <phiber at phiber.com>
To: bug-followup at FreeBSD.org, mala at hinterbergen.de
Cc:
Subject: Re: kern/106438: [ipf] ipfilter: keep state does not seem to allow
replies in on spar64 (and maybe others)
Date: Sun, 06 Dec 2009 20:26:25 -0500
It's been several years since this was first reported, and I can confirm
that it's still a problem in FreeBSD 8.0-RELEASE on i386 with an fxp
interface. I just wasted nearly two days trying to figure out why our
ipfilter rules which have been in use for years on our firewall suddenly
locked the machine out when we upgraded from a rather old version of
FreeBSD to 8.0-RELEASE.
Same exact problem, same exact symptoms. Disabling checksumming on the
interface resolved the problem completely, otherwise ipfilter was rather
broken. I'm really glad I found this bug report, though not soon
enough. This is a rather serious problem.
-Mark
More information about the freebsd-net
mailing list