that's the worst wannabe-bugreport I ever read. bullshit. where are the logs? where's the ruleset? hint: timeouts
On Mon, Dec 09, 2002 at 06:17:02PM +0100, Dries Schellekens wrote: > Taken from deadly.org > > some problems with pf losing state information in > by Timothy Dyck, eWEEK Labs ([EMAIL PROTECTED]) on Monday, > December 09 @04:30AM > > One thing people will notice in the pf.conf files is some rules that > explicitly allow reply traffic through the firewall when a "keep state" > parameter on the incoming traffic rule should have taken care of this > automatically. > > Here's an example: > > pass in on $int_if proto tcp from $mail_relay_ok_net to $int_if port smtp > keep state label "int_if_in_$srcaddr->$dstaddr_$dstport" > > pass in on $int_if proto udp from $name_server_ip port domain to $int_if > keep state label "int_if_in_$srcaddr_$srcport->$dstaddr" # shouldn't need > this line > > When I watched the log of blocked packets, I'd find that a small number of > reply packets were getting blocked until I added reply rules like the > second one above. It appeared that pf was losing track of the state of > certain incoming connections and so generated reply traffic wasn't being > correctly associated with incoming traffic. > > Anyone experienced this? It wasn't a big problem, but I shouldn't have > needed those extra rules. This is with release OpenBSD 3.2. > > Thanks, > Tim Dyck > eWEEK Labs > > -- Henning Brauer, BS Web Services, http://bsws.de [EMAIL PROTECTED] - [EMAIL PROTECTED] Unix is very simple, but it takes a genius to understand the simplicity. (Dennis Ritchie)
