https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=236292
Bug ID: 236292
Summary: sbin/ipfw doesn't allow returning packets with
limit-source address
Product: Base System
Version: 12.0-STABLE
Hardware: Any
OS: Any
Status: New
Severity: Affects Only Me
Priority: ---
Component: bin
Assignee: [email protected]
Reporter: [email protected]
Hi,
After upgrading from source from r343710 to r344737 the behavior of
limit-source address changed.
I have rules like this (which skip after my ipv4 NAT rule where a accept all
rule is):
skipto 10000 ip4 from any to me 443 in recv em0 proto tcp limit src-addr 10
Altough after my upgrade, these packets don't get allowed out.
When I change the rule to the below one it works just fine.
skipto 10000 ip4 from any to me 443 in recv em0 proto tcp keep-state
I see the dynamic rule getting installed with LIMIT:
[/usr/src]$ sudo ipfw show -d |grep LIMIT
00000 2 120 (19s) LIMIT tcp 109.140.18.212 10087 <->
141.135.72.71 443 :default
00000 3 180 (299s) LIMIT tcp 109.140.18.212 10087 <->
141.135.72.71 443 :default
00000 3 180 (296s) LIMIT tcp 109.140.18.212 10087 <->
141.135.72.71 443 :default
Although I see the returning packets getting denied:
Mar 5 20:23:13 vados kernel: ipfw: 9999 Deny TCP 141.135.72.71:443
109.140.18.212:10087 out via em0
Mar 5 20:23:16 vados kernel: ipfw: 9999 Deny TCP 141.135.72.71:443
109.140.18.212:10087 out via em0
Mar 5 20:23:19 vados kernel: ipfw: 9999 Deny TCP 141.135.72.71:443
109.140.18.212:10087 out via em0
Mar 5 20:23:22 vados kernel: ipfw: 9999 Deny TCP 141.135.72.71:443
109.140.18.212:10087 out via em0
Can somebody help me out with this? Did the behavior of limit source address
change?
--
You are receiving this mail because:
You are the assignee for the bug.
_______________________________________________
[email protected] mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-bugs
To unsubscribe, send any mail to "[email protected]"
