dan,
never mind getting ipf's "keep state" to work in this situation, how do you think tcp/ip is going to work?
example, based on your description...
host A sends to host B an opening TCP gambit... 192.168.1.10:1024 -> 192.168.1.50:80 TCP SYN
are you saying that "sometimes" host B responds... 192.168.1.91:80 -> 192.168.1.10:1024 TCP SYN+ACK ???
sorry, but from host A's tcp/ip stack/kernel perspective this appears as an unsolicited packet, and is thus dropped. that is, there is no mating socket tuple on host A. how does the stack know where to plug the payload in? if indeed host B is behaving like this, it's broken.
either my understanding of your problem is skewed or we need another chapter in "TCP/IP Illustrated". and man-in-the-middle attacks just got a lot easier.
jim
Dan D Niles wrote:
Is there any way to get state to work with hosts that don't always send replies with the same address?
I have a server that has two interfaces and two IPs. If I send a packet to 192.168.1.50, sometimes the response comes back on 192.168.1.50 and sometimes it comes back on 192.168.1.91 (not the real IPs). When the response comes back on 50, state works fine but when it comes back on 91, it doesn't.
I have also seen this problem with virtual hosts on solaris.
Thanks,
Dan
