Re: ipfilter v4.1.8 && UDP (OpenVPN)

Matthias Apitz wrote:
> Hi,
>
> With one of our firewall systems (FreeBSD with IPF) I have the
> problem that the OpenVPN tunnel is coming up but is not useable
> for heavy traffic (i.e. ping is fine and telnet as well through
> the tunnel, but fetching a page with a browser does not work);
>
> in /var/log/messages I see lines like this:
>
> Mar 2 15:09:21 firewall ipmon[167]: 15:09:21.028708 xl1 @0:37 p xxx.xxx.xxx.xxx,4675 -> 10.0.1.202,nnnn PR udp len 20 105 K-S IN
> Mar 2 15:09:21 firewall ipmon[167]: 15:09:21.451231 xl1 @0:93 b 10.0.1.202 -> xxx.xxx.xxx.xxx PR udp len 20 (41) (frag 65054:21@1432) OUT
>
> Mar 2 15:09:44 firewall ipmon[167]: 15:09:44.399168 xl1 @0:37 p xxx.xxx.xxx.xxx,4675 -> 10.0.1.202,nnnn PR udp len 20 129 K-S IN
> Mar 2 15:10:10 firewall ipmon[167]: 15:10:09.236539 xl1 @0:93 b 10.0.1.202 -> xxx.xxx.xxx.xxx PR udp len 20 (41) (frag 950:21@1432) OUT
>
> i.e. NAT passes the UDP to the OpenVPN-server at 10.0.1.202,nnnn,
> but later traffic from 10.0.1.202 is blocked by the default
> blocking rule (93); what does this 'frag 65054:21@1432' means?

Try adding 'keep frag' after the 'keep state' in your rules.

Darren