Date: Wed, 28 Jul 2004 11:23:20 -0400 (EDT) From: "Steve Bertrand" <iaccounts@ibctech.ca> To: dgw@liwest.at Cc: questions@freebsd.org Subject: Re: Problems after IP change Message-ID: <3652.209.167.16.15.1091028200.squirrel@209.167.16.15> In-Reply-To: <200407281611.09200.dgw@liwest.at> References: <200407281452.00859.dgw@liwest.at> <200407281548.17563.dgw@liwest.at> <3600.209.167.16.15.1091027170.squirrel@209.167.16.15> <200407281611.09200.dgw@liwest.at>
next in thread | previous in thread | raw e-mail | index | archive | help
> On Wednesday 28 July 2004 15:06, Steve Bertrand wrote: >> > On Wednesday 28 July 2004 14:49, Steve Bertrand wrote: >> >> >> Also, post the relevant ``natd'' line entries in your >> /etc/natd.conf >> >> >> file. >> >> > >> >> > natd.conf doesn't exist. Do you mean rc.conf? Here it is: >> >> > natd_interface="rl0" >> >> > natd_enable="YES" >> >> > >> >> > But I didn't change anything here, and it always worked. >> >> >> >> Indeed, I did mean rc.conf...sorry ;o) >> >> >> >> Now would be a good time to post your fw ruleset. >> > >> > add 00300 divert 8668 ip from any to any >> > add 01300 unreach port tcp from any to any 6699 >> > add 01400 allow log all from any to any via lo0 >> > add 01600 check-state >> Well, I would hate to do this, but for testing purposes, add a rule (very >> briefly)... >> > add 00300 divert 8668 ip from any to any >> > add 01300 unreach port tcp from any to any 6699 >> > add 01400 allow log all from any to any via lo0 >> add 1500 allow log logamount 1000 all from any to any >> and check to see if things are working. Your security log file may indicate where traffic is going whether it is or not. > > Yes, it works, but of course I can't leave this rule in all the time. The SYN/ACK packet that comes back from the remote server is denied by rule > 01900. But it should be allowed by the check-state rule. > >> Also, I know you haven't changed anything, but what does the output from >> this command state?: >> # sysctl net.inet.ip.forwarding > > It is set to 1. I changed this a long time ago. I figured so...what happens if you add 'keep-state' to rules 20000, 20002 and 20003? Steve > >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3652.209.167.16.15.1091028200.squirrel>