[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: some problems with pf losing state information in

that's the worst wannabe-bugreport I ever read.
where are the logs? where's the ruleset?
hint: timeouts
On Mon, Dec 09, 2002 at 06:17:02PM +0100, Dries Schellekens wrote:
> Taken from deadly.org
> some problems with pf losing state information in
> by Timothy Dyck, eWEEK Labs ([email protected]) on Monday,
> December 09 @04:30AM
> One thing people will notice in the pf.conf files is some rules that
> explicitly allow reply traffic through the firewall when a "keep state"
> parameter on the incoming traffic rule should have taken care of this
> automatically.
> Here's an example:
> pass in on $int_if proto tcp from $mail_relay_ok_net to $int_if port smtp
> keep state label "int_if_in_$srcaddr->$dstaddr_$dstport"
> pass in on $int_if proto udp from $name_server_ip port domain to $int_if
> keep state label "int_if_in_$srcaddr_$srcport->$dstaddr" # shouldn't need
> this line
> When I watched the log of blocked packets, I'd find that a small number of
> reply packets were getting blocked until I added reply rules like the
> second one above. It appeared that pf was losing track of the state of
> certain incoming connections and so generated reply traffic wasn't being
> correctly associated with incoming traffic.
> Anyone experienced this? It wasn't a big problem, but I shouldn't have
> needed those extra rules. This is with release OpenBSD 3.2.
> Thanks,
> Tim Dyck
> eWEEK Labs
Henning Brauer, BS Web Services, http://bsws.de
[email protected] - [email protected]
Unix is very simple, but it takes a genius to understand the simplicity.
(Dennis Ritchie)