On Fri, Nov 08, 2002 at 09:39:35AM +0200, Toomas Aas wrote: > > Packets which should have been allowed were being blocked by the > > catch-all rules, eg. ssh replies: > > > > Nov 7 18:48:46 fw ipmon[111]: [ID 702911 local0.warning] 18:48:45.520290 le2 >@0:15 b y,22 -> x,44605 PR tcp len 20 44 -AS OUT > > > > The rule allowing x -> y port = 22 is: > > > > pass in quick proto tcp from x to y port = 22 flags S keep state group 200 > > Isnt it true that "flags S" means "S and ONLY S" i.e. packet with SA > gets blocked? I've come to this conclusion with IPFilter 3.4.27, maybe > earlier versions were different?
Correct, but that only refers to what kind of packets are allowed -without- a pre-existing state table entry. Once the SYN hits that rule, a state is created for it, so the following SYN-ACK and ACK are passed through without any rule checking. But if there was no SYN initially, the SYN-ACK and ACK will not be passed by that rule. -c
