Hernan F wrote: > Hi, thanks for your answer. Unfortunately, it didnt seem to help either. I've > read that tutorial and the one over at ipfilter's site, and I thought I was > doing it right: > > I'm allowing anything to go out > Blocking everything coming in > except if: for tcp port 80 OR is an ICMP OR is from interface lo0 > > I thought I didn't need need stateful filtering for that? This machine > doesn't initiate connections by itself. But I added it anyway, just in case. > > Maybe I'm hitting a bug?
It sounds like a bug to me. No, you should not need stateful filtering for a simple case like this. It's generally needed when you have to relate outbound packets to inbound ones, but since you're not restricting outbound packets, that's not really an issue. It sometimes helps to use "ipfstat -hi6" and "ipfstat -ho6" to see what rules are getting hit. If that doesn't get it, then you might need to start using either the 'log' option or even dtrace to figure out what's going on. -- James Carlson 42.703N 71.076W <carls...@workingcode.com> _______________________________________________ networking-discuss mailing list networking-discuss@opensolaris.org
