From owner-freebsd-questions@FreeBSD.ORG Mon Apr 4 12:27:27 2005 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8085416A4CE for ; Mon, 4 Apr 2005 12:27:27 +0000 (GMT) Received: from mail.sv-bg.com (lion.sv-bg.com [213.222.60.18]) by mx1.FreeBSD.org (Postfix) with SMTP id 5E70C43D49 for ; Mon, 4 Apr 2005 12:27:26 +0000 (GMT) (envelope-from lalev@sv-bg.com) Received: (qmail 78540 invoked by uid 1013); 4 Apr 2005 15:42:54 -0000 Received: from lalev@sv-bg.com by www.sv-bg.com by uid 1010 with qmail-scanner-1.22-st-qms Clear:RC:0(213.222.60.195):SA:0(-2.6/5.0):. Processed in 8.583097 secs); 04 Apr 2005 15:42:54 -0000 X-Spam-Status: No, hits=-2.6 required=5.0 X-Antivirus-MYDOMAIN-Mail-From: lalev@sv-bg.com via www.sv-bg.com X-Antivirus-MYDOMAIN: 1.22-st-qms (Clear:RC:0(213.222.60.195):SA:0(-2.6/5.0):. Processed in 8.583097 secs Process 78527) Received: from unknown (HELO ?192.168.1.20?) (lalev@sv-bg.com@213.222.60.195) by mail.sv-bg.com with SMTP; 4 Apr 2005 15:42:46 -0000 Message-ID: <42515CCE.1070505@sv-bg.com> Date: Mon, 04 Apr 2005 15:27:10 +0000 From: Angelin Lalev User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.7.2) Gecko/20041016 X-Accept-Language: en-us, en MIME-Version: 1.0 To: =?ISO-8859-1?Q?Erik_N=F8rgaard?= References: <424E8FE9.1090904@sv-bg.com> <424F1029.6080600@locolomo.org> In-Reply-To: <424F1029.6080600@locolomo.org> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit cc: freebsd-questions@freebsd.org Subject: Re: ipfilter problems X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 04 Apr 2005 12:27:27 -0000 Thank You very much! > Well, the short answer is: there is no keep state in the line > > pass in quick on rl0 all > > the dns reply you get back times out because your default rule is > block and there is nowhere in the "in" rules for rl1 that allows the > reply back. > This makes sense... And I probably have done huge mistake... I thought that these rules are applied two times - once when the packet is about to enter "routing logic" and once when it exits "routing logic" the machine and once when the packet exits the machine (like ipfw). If that was the case the rule pass out quick on rl1 all keep state would do... > Some recomendations: > > 1) I have a bit of dificulty understanding your network setup - why do > you have two private networks on your external interface? May scetch > in a diagram. rl0 is connected to an internet caffe with some game servers. It has only one IP address 192.168.0.0/24. rl1 is connected via ethernet to a wireless bridge. The management address of the wireless bridge (provider's property) is 10.1.6.1. I added alias addr. 10.1.6.2/24 to the rl1, so I can ping it to test connectivity. Recently we have connected some outer clients to the same ethernet network on wich is the wireless bridge. They have addresses 192.168.5.0/24 and have for gateway the our freebsd machine. They use squid server on the machine (like the machines on rl0 do) and need access to some game servers.