ipf filter: froblem with "keep state" or "flags S" parameter
Anton Shterenlikht
mexas at bristol.ac.uk
Mon Aug 9 12:53:11 UTC 2010
On Mon, Aug 09, 2010 at 03:21:51PM +0300, Eugenijus Urbonas wrote:
> Hello!
> Some time ago I already had business with ipf and everything was ok (I
> used manual to create rules), server worked perfetcly.
> Now I'am trying to setup the same server, but with newer version of
> FreeBSD (8.1-RELEASE), the same manuals, the same settings, everything
> works except firewall, and there is something strange:
> for example, I have rules in my /etc/ipf.rules:
>
> Code:
>
> pass out quick on fxp0 all
> pass in log quick on fxp0 proto tcp from any to any port = 80
> block in log first quick on fxp0 all
>
> in this case ipmon shows:
> Code:
>
> ... fxp0 *@0:1 p *xx.xx.xx.xx -> xx.xx.xx.xx,80 PR tcp len ...
>
> that is OK
>
> now I change second rule to:
> Code:
>
> pass in log quick on fxp0 proto tcp from any to any port = 80 flags S keep state
>
> # because I want to use statefull firewall ofcourse
>
> in this case ipmon shows:
> Code:
>
> ... fxp0 *@0:2 b* xx.xx.xx.xx -> xx.xx.xx.xx,80 PR tcp len ...
>
> and that is NOT OK
>
> I don't understand why, but now my connection does not match my rule...
> why? can someone explain in to me?
what is the output of `ipfstat -in`?
--
Anton Shterenlikht
Room 2.6, Queen's Building
Mech Eng Dept
Bristol University
University Walk, Bristol BS8 1TR, UK
Tel: +44 (0)117 331 5944
Fax: +44 (0)117 929 4423
More information about the freebsd-questions
mailing list