Problems after IP change
Daniela
dgw at liwest.at
Wed Jul 28 09:21:29 PDT 2004
On Wednesday 28 July 2004 16:18, Steve Bertrand wrote:
> > On Wednesday 28 July 2004 15:53, Steve Bertrand wrote:
> >> >> I figured so...what happens if you add 'keep-state' to rules 20000,
> >> >> 20002
> >> >> and 20003?
> >> >
> >> > Nothing.
> >> > BTW, here we have the problem: The initial SYN packet isn't matched by
> >> > rule
> >> > 11700 (setup keep-state). Setup means the SYN flag is set, right?
> >>
> >> AFAIK, setup means the SYN bit MUST be set. Try these rules:
> >> > add 01900 deny log tcp from any to any in established
> >>
> >> add 2000 allow log all from any to any in via rl1 keep-state
> >> add 2002 allow log all from any to any out via rl0 keep-state
> >>
> >> > So why
> >> > is
> >> > it not matched? If I remove the "setup" keyword to match all outgoing
> >> > packets, the SYN/ACK from the server is still denied by rule 01900.
> >>
> >> I'll go over the ruleset again here and see if I can find a misplaced
> >> 'out' or 'in'.
> >
> > Now it is getting funny. I played around with the ruleset, adding and
> > removing
> > count log rules. Suddenly it worked. I removed all extra count log rules,
> > and
> > compared the resulting ruleset file with the backup I made before.
> > Nothing changed! Was that a bug?
>
> I'd like to see the difference. Could you post this output? (The contents
> of rules.patch).
>
> # diff orig_rules_file new_rules_file > rules.patch
Nothing! That produces an empty file.
More information about the freebsd-questions
mailing list