1.3 Development

I found a few references to the bug in ipfilter with FreeBSD 6.1 that causes packets to be blocked with "out of window" errors when the filter rules specify the "keep state" option.  See the "RSH blocked from WAN to LAN" thread in the General Questions forum.

A Google Groups search turns up a few references that the bug was fixed in the 6.2-CURRENT distribution.  It could be that the prerelease 6.2 distributions used for the m0n0wall 1.3 beta so far still have the bug.

Could the next 1.3 beta release include ipfilter from the FreeBSD 6.2-CURRENT distribution?

I'm glad to hear you've found reference to this issue.

Your terminology is mixed up. There is no 6.2-CURRENT. FreeBSD-CURRENT is what will become 7.0. 6-STABLE, a.k.a. RELENG_6, is what will become 6.3 when it's released. 6.2 is out, the only branch based on it is RELENG_6_2, and it'll likely only get security fixes.

It's possible the fix is only in -CURRENT, which may make it difficult to back port to RELENG_6, or it's possible it's in RELENG_6 or RELENG_6_2 already.

Can you provide links to the threads you see referencing this so we can see what this fix is and where it's been committed?

Sorry about the terminology mixup.  I don't do any development with FreeBSD.

Here is one reference with FreeBSD 6.1  and also a Google Groups search turns up a discussion on mailing.unix.ipfilter  about patching ipfilter in FreeBSD 6.2.

A relevant quote:
|>Is there a patch for the keep state/OOW-issues in version 4.1.13 on
|>FreeBSD6.2 and if so, what are the instructions to apply the patch?
|
|You can just copy /sys/config/ipfilter/netinet/ip_state.c from -current.
|As far as I can determine, the only changes are the OOW fixes.

Thanks!  Hopefully Manuel will note this and possibly include it in the next 1.3 release. I think this fixes the issue Paul Taylor was seeing (see m0n0wall-dev post from him), and others are likely seeing as well.

Noted - I'll make sure this fix is in the next release (even put it on http://m0n0.ch/wall/todo.php so I don't forget ;). Thanks for digging this up!

I just tested m0n0wall v1.3b3.  Rsh commands are still being stuck after a good connection.  The only change is that if the rsh client keeps trying, it will occasionaly get through after a significant delay.  With 1.3b2, the rsh client would never get through for a few minutes after a good connection.  That still makes it impossible for us to really use m0n0wall.

As a workaround, is there a way to specify a firewall rule so that connections to a specific port will not have the "keep state" option?

Just tested the new 1.3b5 release.  It looks like the ipfilter
upgrade finally fixed the out-of-window problem on successive
remote shell and remote file copy requests.  They all seem to
work now.  I noticed some blocked packets in the firewall log
during a remote update using the SCO "rdist" utility, but that
all seemed to work out and not cause any trouble.

Thanks and great job, Manuel!
---Hillel

I am running 1.3b11 and am still seeing problems with OOW problems (I have tried 1.233 but it did not help)

ssh and http connections work but SMTP fails everytime with OOW

my network layout is similar to  Network Diagram 14.1.1. in
http://doc.m0n0.ch/handbook/examples.html#id11622455

except I have my email/shell system on my internal network and I use the DMZ for WiFi and TiVO

Are their any known work arounds?