Problems after IP change
Steve Bertrand
iaccounts at ibctech.ca
Wed Jul 28 08:53:01 PDT 2004
> On Wednesday 28 July 2004 15:23, Steve Bertrand wrote:
>> > Yes, it works, but of course I can't leave this rule in all the time.
>>
>> The SYN/ACK packet that comes back from the remote server is denied by
>> rule
>>
>> > 01900. But it should be allowed by the check-state rule.
>> >
>> >> Also, I know you haven't changed anything, but what does the output
>>
>> from
>>
>> >> this command state?:
>> >> # sysctl net.inet.ip.forwarding
>> >
>> > It is set to 1. I changed this a long time ago.
>>
>> I figured so...what happens if you add 'keep-state' to rules 20000,
>> 20002
>> and 20003?
>
> Nothing.
> BTW, here we have the problem: The initial SYN packet isn't matched by
> rule
> 11700 (setup keep-state). Setup means the SYN flag is set, right?
AFAIK, setup means the SYN bit MUST be set. Try these rules:
> add 01900 deny log tcp from any to any in established
add 2000 allow log all from any to any in via rl1 keep-state
add 2002 allow log all from any to any out via rl0 keep-state
> So why
> is
> it not matched? If I remove the "setup" keyword to match all outgoing
> packets, the SYN/ACK from the server is still denied by rule 01900.
I'll go over the ruleset again here and see if I can find a misplaced
'out' or 'in'.
Steve
>
>
More information about the freebsd-questions
mailing list