Peter Kieser wrote: > Hello, > > I'm having similar issues (intermittent connectivity as if the dynamic > rule table isn't being kept properly) using IP Filter with IPv6 and > keep state rules as I was having with ipfw (see "ipfw2 keep-state + > IPv6 on RELENG_7"), IPv4 keep state rules work as expected. I've > verified that it is not infact a network problem (adding an "allow > all" fixes the problem again). > > My rules are as follows, CVSup from today (Wed Oct 24 10:54:23 PDT), > em0 is my external interface: > > pass in quick on lo0 all > pass out quick on lo0 all > pass out quick on em0 keep state > pass in quick on em0 proto tcp from any to any port = 22 This is asking for trouble, regardless of which firewall you use. For best performance, the "keep state" part should be triggered by a rule that mentions the TCP SYN flag somewhere. So for IPFilter, the rule should be: pass in quick on em0 proto tcp from any to any port = 22 flags S keep state (for inbound ssh) and for outboud ssh, you should have an explicit rule like this for tcp: pass out quick on em0 proto tcp all flags S keep state If you don't trigger stateful filtering on SYN packets then the firewall doesn't have a chance to record the window scaling options that are present in the SYN/SYN-ACK packets at the start of a connection and thus can't correctly determine if packets coming later are inside or outside the TCP window. DarrenReceived on Sat Oct 27 2007 - 17:01:15 UTC
This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:39:20 UTC