> From: Hans Werner Strube > > From Guido van Rooij Wed Feb 18 11:32:16 2004 > > > On Wed, Feb 18, 2004 at 11:05:56AM +0100, Hans Werner Strube wrote: > > > With rules > > > > > > block in log on elxl0 all > > > pass in quick on elxl0 proto tcp from x.y.z.0/24 to x.y.z.h/32 flags S keep state > > > > > > on ipf host x.y.z.h, broadcasts from other hosts in subnet x.y.z.0 to x.y.z.255 > > > (the broadcast address of subnet x.y.z.0) are blocked and logged with ipf > > > 3.4.33 but neither blocked nor logged with 4.1. Bug or feature? > > > (OS: Solaris 7) > > > > >From what I've seen, the logic in both versions of ipfilter is equal. > > > > Your block rule does not have quick. Are you sure that your default > > is not to pass? (look with ipf -V) > > This is just a toy configuration with no other essential rules, > and I compared 3.4.33 and 4.1 on the same machine with the same rules > (of course, after deinstalling the first and installing the other one). > Both show "Default: pass all, Logging: available" with ipf -V > but only the explicitly given rules with ipfstat -i . > In 4.1, I now added another rule > block in log quick on elxl0 all > after the two given ones, but the broadcasts are still passed and not logged.
Sorry, I mixed this up a little. The broadcasts were UDP (e.g., from rup or rusers), thus the pertinent rules were block in log on elxl0 all pass in quick on elxl0 proto udp from x.y.z.0/24 to x.y.z.h/32 keep state (plus later:) block in log quick on elxl0 all But apart of the form of the second rule, this does not change what I reported. When I added a rule pass in quick on elxl0 proto udp from x.y.z.0/24 to x.y.z.255/32 keep state the broadcasts were passed in 3.4.33, whereas with ipf 4.1, this rule was not required.
