Skip site navigation (1)Skip section navigation (2) 
Date:      Sun, 7 Jul 2002 17:02:26 -0500
From:      "Richard Seaman, Jr." <dick@seaman.org>
To:        Szilveszter Adam <sziszi@bsd.hu>
Cc:        freebsd-current@FreeBSD.ORG
Subject:   Re: problems with natd, ipfw
Message-ID:  <20020707170226.Q3283@seaman.org>
In-Reply-To: <20020707164552.P3283@seaman.org>; from dick@seaman.org on Sun, Jul 07, 2002 at 04:45:52PM -0500
References:  <20020707213546.GA743@fonix.adamsfamily.xx> <20020707164552.P3283@seaman.org>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Sun, Jul 07, 2002 at 04:45:52PM -0500, Richard Seaman, Jr. wrote:
> On Sun, Jul 07, 2002 at 11:35:46PM +0200, Szilveszter Adam wrote:
> > Hello everybody,
> > 
> > I upgraded to yesterday's -CURRENT and have made a few observations:
> 
> > 2) and much more alarmingly: Although the new ipfw really seems to
> > process the ruleset faster, some rules appear to do nothing! I
> > have a "default-to-deny" setup, so theoretically this should mean that I
> > should be cut off from the net if the allow rules do not work. And
> > indeed, flushing all rules gives the expected behaviour. But as soon as
> > I load the ruleset file (which is the same as previously and then it
> > worked as expected) the fw becomes wide-open, the only rules that appear
> > to work are the divert for natd, and the allow rules. But the deny rules
> > do nothing, it seems that even the "catch-all" implicit deny rule at the
> > bottom does nothing. Am I going insane, or is this real?
> 
> Don't know.  But, I do know that logging seemed to be messed up.  My old
> ruleset only logged a few rules, and after upgrading I seemed to get a
> log entry for every packet.  It was so overwhelming that I didn't even
> try to analyze it.  Since I needed natd on the machine in question,
> I just reverted all the new ipfw code, and haven't spent much time at it.

I just went back to the old log files, and based on a spot check, the log
files do indeed record as "accepted" packets that should have been
denied by the ruleset (and which are currently denied without logging using
the same ruleset and the "old" ipfw).

-- 
Richard Seaman, Jr.        email:    dick@seaman.org
5182 N. Maple Lane         phone:    262-367-5450
Nashotah WI 53058            fax:    262-367-5852

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-current" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020707170226.Q3283>