Problems after IP change
Steve Bertrand
iaccounts at ibctech.ca
Wed Jul 28 09:26:52 PDT 2004
> On Wednesday 28 July 2004 16:18, Steve Bertrand wrote:
>> > On Wednesday 28 July 2004 15:53, Steve Bertrand wrote:
>> >> >> I figured so...what happens if you add 'keep-state' to rules
>> 20000,
>> >> >> 20002
>> >> >> and 20003?
>> >> >
>> >> > Nothing.
>> >> > BTW, here we have the problem: The initial SYN packet isn't matched
>> by
>> >> > rule
>> >> > 11700 (setup keep-state). Setup means the SYN flag is set, right?
>> >>
>> >> AFAIK, setup means the SYN bit MUST be set. Try these rules:
>> >> > add 01900 deny log tcp from any to any in established
>> >>
>> >> add 2000 allow log all from any to any in via rl1 keep-state
>> >> add 2002 allow log all from any to any out via rl0 keep-state
>> >>
>> >> > So why
>> >> > is
>> >> > it not matched? If I remove the "setup" keyword to match all
>> outgoing
>> >> > packets, the SYN/ACK from the server is still denied by rule 01900.
>> >>
>> >> I'll go over the ruleset again here and see if I can find a misplaced
>> >> 'out' or 'in'.
>> >
>> > Now it is getting funny. I played around with the ruleset, adding and
>> > removing
>> > count log rules. Suddenly it worked. I removed all extra count log
>> rules,
>> > and
>> > compared the resulting ruleset file with the backup I made before.
>> > Nothing changed! Was that a bug?
>>
>> I'd like to see the difference. Could you post this output? (The
>> contents
>> of rules.patch).
>>
>> # diff orig_rules_file new_rules_file > rules.patch
>
> Nothing! That produces an empty file.
Well, at least it's working. I have no idea what the problem could of been.
:o)
Steve
>
> _______________________________________________
> freebsd-questions at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to
> "freebsd-questions-unsubscribe at freebsd.org"
>
More information about the freebsd-questions
mailing list