Re: ipf return-rst

From: Gerhard Sittig (Gerhard.Sittig@gmx.net)
Date: 11/29/01


Date: Thu, 29 Nov 2001 20:04:43 +0100
From: Gerhard Sittig <Gerhard.Sittig@gmx.net>
To: freebsd-security@freebsd.org

On Wed, Nov 28, 2001 at 16:47 -0600, Eric Anderson wrote:
>
> I'm trying to figure out why my return-rst lines aren't
> working. Here's a sample of a line:
> block return-rst in quick on xl0 proto tcp from any to
> my.ext.ip/32 port = 23 flags S/SA

Is your my.ext.ip static? If it isn't, I suggest using 0.0.0.0/32
as the IP spec and invocing "ipf -y" in your linkup script.

Are you the only filter in the path? Have you tried this locally
in a network completely under your control? Check it with the lo0
interface and your internal NIC first to make sure.

> Both block the connection, but timeout instead of giving the
> "Connection refused" line.

Is this some kind of application retry? Did you use something
like netcat as a frontend and did you check by running tcpdump?

virtually yours 82D1 9B9C 01DC 4FB4 D7B4 61BE 3F49 4F77 72DE DA76
Gerhard Sittig true | mail -s "get gpg key" Gerhard.Sittig@gmx.net

-- 
     If you don't understand or are scared by any of the above
             ask your parents or an adult to help you.
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message