Date: Fri, 30 Jul 2004 13:09:49 -0700 From: "Loren M. Lang" <lorenl@alzatex.com> To: Daniela <dgw@liwest.at> Cc: questions@freebsd.org Subject: Re: Problems after IP change Message-ID: <20040730200949.GA31983@alzatex.com> In-Reply-To: <200407281548.17563.dgw@liwest.at> References: <200407281452.00859.dgw@liwest.at> <200407281537.57983.dgw@liwest.at> <3589.209.167.16.15.1091026142.squirrel@209.167.16.15> <200407281548.17563.dgw@liwest.at>
next in thread | previous in thread | raw e-mail | index | archive | help
--qDbXVdCdHGoSgWSk Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Jul 28, 2004 at 03:48:17PM +0000, Daniela wrote: > On Wednesday 28 July 2004 14:49, Steve Bertrand wrote: > > >> Also, post the relevant ``natd'' line entries in your /etc/natd.conf > > >> file. > > > > > > natd.conf doesn't exist. Do you mean rc.conf? Here it is: > > > natd_interface=3D"rl0" > > > natd_enable=3D"YES" > > > > > > But I didn't change anything here, and it always worked. > > > > Indeed, I did mean rc.conf...sorry ;o) > > > > Now would be a good time to post your fw ruleset. >=20 > add 00300 divert 8668 ip from any to any > add 01300 unreach port tcp from any to any 6699=20 > add 01400 allow log all from any to any via lo0 > add 01600 check-state >=20 > add 01700 allow log logamount 1000 tcp from any to me 22 in setup keep-st= ate > add 01701 allow log logamount 1000 tcp from me 22 to any out I believe this is matching all your outgoing ssh connections, but not keeping state so the outgoing SYN packets get accepted, but the incoming SYN/ACK packets get rejected when they hit rule 1900 below. > add 01702 allow log logamount 1000 tcp from any to me 21 in setup keep-st= ate > add 01703 allow log logamount 1000 tcp from me 21 to any out Same with ftp. Where those the only protocols that didn't work or did nothing work? >=20 > add 01900 deny log tcp from any to any in established >=20 > add 11700 allow tcp from any to any out setup keep-state > add 11701 allow udp from 212.33.32.160 53 to any in recv rl0 > add 11702 allow udp from any to 212.33.32.160 53 > add 11703 allow udp from 212.33.55.5 53 to any in recv rl0 > add 11704 allow udp from any to 212.33.55.5 53 > add 11705 allow udp from 212.0.0.0/8 67 to 255.255.255.255 68 in recv rl0 >=20 > add 11801 allow icmp from any to any icmptypes 3 > add 11802 allow icmp from any to any icmptypes 4 > add 11803 allow icmp from any to any icmptypes 8 out > add 11804 allow icmp from any to any icmptypes 0 in > add 11805 allow icmp from any to any icmptypes 9 out > add 11806 allow log icmp from any to any icmptypes 11 in > add 11807 allow log icmp from any to any icmptypes 11 out >=20 > add 11900 allow icmp from me to 224.0.0.1 icmptypes 9 in via rl0 > add 11901 allow icmp from 10.0.0.1 to 224.0.0.1 icmptypes 9 in via rl1 > add 11902 allow all from me to 224.0.0.2/24 out via rl0 > add 11903 allow all from 10.0.0.1 to 224.0.0.2/24 out via rl1 > add 11904 allow udp from me 520 to 81.10.248.255 520 out via rl0 > add 11905 allow udp from me 520 to 81.10.248.255 520 in via rl0 > add 11906 allow udp from 10.0.0.1 520 to 10.255.255.255 520 in via rl1 > add 11907 allow udp from 10.0.0.1 520 to 10.255.255.255 520 out via rl1 > add 11908 allow udp from me 520 to 10.255.255.255 520 out via rl1 > add 11909 allow udp from me 520 to 10.255.255.255 520 in via rl1 > add 11910 allow ip from any to 224.0.0.9/24 in via rl0 >=20 >=20 > add 20000 allow all from 10.0.0.0/24 to any in recv rl1 > add 20001 allow all from any to 10.0.0.0/24 out xmit rl1 keep-state > add 20002 count log all from 10.0.0.0/24 to any > add 20003 count log all from any to 10.0.0.0/24 >=20 >=20 > add 65534 deny log ip from any to any >=20 > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.o= rg" --=20 I sense much NT in you. NT leads to Bluescreen. Bluescreen leads to downtime. Downtime leads to suffering. NT is the path to the darkside. Powerful Unix is. Public Key: ftp://ftp.tallye.com/pub/lorenl_pubkey.asc Fingerprint: B3B9 D669 69C9 09EC 1BCD 835A FAF3 7A46 E4A3 280C =20 --qDbXVdCdHGoSgWSk Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQFBCqsN+vN6RuSjKAwRArM8AJ9/BixEhOELcGVdQD6LgGOcoTBoFACfbTeF C2rGplt3ItvAFIw/LfozC4s= =U4vb -----END PGP SIGNATURE----- --qDbXVdCdHGoSgWSk--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040730200949.GA31983>