Re: Problem with return-rst and auth

> On Thu, Sep 25, 2003 at 11:20:30AM -0400, noam+ipfilter@noam.com wrote:
> > > You can list what rules are in teh auth table. If it reports back that
> > > the FR_RETRST flag is set, then it is a kernel problem. If not,
> > > it might be a problem in your auth program.
> >
> > How do I this? Here is the line from my conf:
>
> ipfstat -A
> You should do that when the rules are active (i.e. after positive
> authentication). Also try to trigger the rule by sending a packet that
> should result in an RST return, and look of the hitcount of the rule
> in ipfstat -A goes up.

I'm not sure what I'm looking for... I'm getting:

# ipfstat -A
ioctl(SIOCGETFF): Invalid argument
Authorisation hits: 120 misses 622
nospace 0
added 120
sendfail 0
sendok 0
queok 120
quefail 0
expire 0

The hitcount increases in all cases:

- FR_PASS
- FR_BLOCK | FR_RETICMP
- FR_BLOCK | FR_RETRST

Here is my test code. It alternates between FR_RETICMP and FR_RETRST:

main()
{
struct frauth fra;
struct frauth *frap = &fra;
fr_info_t *fin = &fra.fra_info;
fr_ip_t *fi = &fin->fin_fi;
char yn[16];
int fd;
int i=0;

fd = open(IPL_AUTH, O_RDWR);
while (ioctl(fd, SIOCAUTHW, &frap) == 0) {
struct stat buf;

if (fra.fra_info.fin_out)
fra.fra_pass = FR_OUTQUE;
else
fra.fra_pass = FR_INQUE;

fra.fra_pass |= FR_BLOCK;

if (i==0) { fra.fra_pass |= FR_RETICMP; i++; }
else { fra.fra_pass |= FR_RETRST; i=0; }


if (ioctl(fd, SIOCAUTHR, &frap) != 0)
perror("SIOCAUTHR");
}
fprintf(stderr, "errno=%d \n", errno);
perror("frauth-SIOCAUTHW");
}

When it is set to FR_RETICMP, I get:

testgrp@64.215.164.78:~$ telnet HOST 22
Trying IP...
telnet: Unable to connect to remote host: No route to host

When it is set to FR_RETRST, It hangs on "Trying IP...".

- Noam