Problems with stateful filtering in 4.1.20

Thu, 10 May 2007 03:52:20 -0700 

Hi,
After upgrading to the latest NetBSD/amd64 4.0_BETA2 (and therefore to IPF 4.1.20) I'm getting a lot of these errors. Before the upgrade (IPF 4.1.13) everything was working just fine. 



May 10 10:20:48 p130 ipmon[377]: 10:20:48.692051 bnx0 @0:37 b 
d146.mydomain.com[xxx.xxx.xxx.146],smtp -> 
p130.mydomain.com[xxx.xxx.xxx.130],52997 PR tcp len 20 52 -A IN
May 10 10:20:49 p130 ipmon[377]: 10:20:49.684257 bnx0 @0:37 b 
d146.mydomain.com[xxx.xxx.xxx.146],smtp -> 
p130.mydomain.com[xxx.xxx.xxx.130],52997 PR tcp len 20 52 -AF IN
May 10 10:20:49 p130 ipmon[377]: 10:20:49.694822 bnx0 @0:37 b 
d146.mydomain.com[xxx.xxx.xxx.146],smtp -> 
p130.mydomain.com[xxx.xxx.xxx.130],52997 PR tcp len 20 64 -A IN
May 10 10:20:51 p130 ipmon[377]: 10:20:51.684376 bnx0 @0:37 b 
d146.mydomain.com[xxx.xxx.xxx.146],smtp -> 
p130.mydomain.com[xxx.xxx.xxx.130],52997 PR tcp len 20 52 -AF IN
May 10 10:20:51 p130 ipmon[377]: 10:20:51.703369 bnx0 @0:37 b 
d146.mydomain.com[xxx.xxx.xxx.146],smtp -> 
p130.mydomain.com[xxx.xxx.xxx.130],52997 PR tcp len 20 64 -A IN




In this case p130 contacted d146's SMTP port but some of the return packets are 
blocked. On p130 I have these rules:



# Incoming SMTP to this host
pass in  quick proto tcp from any to xxx.xxx.xxx.130 port = 25
pass out quick proto tcp from xxx.xxx.xxx.130 port = 25 to any
pass in  quick proto tcp from any to xxx.xxx.xxx.130 port = 465
pass out quick proto tcp from xxx.xxx.xxx.130 port = 465 to any

# Outgoing traffic
pass out quick proto tcp  from any to any flags S keep state keep frags
pass out quick proto udp  from any to any keep state keep frags
pass out quick proto icmp from any to any icmp-type 8 keep state

# Block and log everything else
block return-rst in log quick proto tcp from any to any flags S
block            in log quick proto tcp from any to any
block return-icmp-as-dest (port-unr) in log quick proto udp from any to any
block in  log quick all
block out log quick all


In this case rule 0:37 is

@37 block in log quick proto tcp from any to any
@38 block return-icmp-as-dest(port-unr) in log quick proto udp from any to any
@39 block in log quick all


How should I debug this?

Martti






















					Reply via email to