From owner-freebsd-questions@FreeBSD.ORG Wed Jul 28 16:26:52 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3C66216A4CE for ; Wed, 28 Jul 2004 16:26:52 +0000 (GMT) Received: from pearl.ibctech.ca (dev.eagle.ca [209.167.58.10]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6F50843D1D for ; Wed, 28 Jul 2004 16:26:51 +0000 (GMT) (envelope-from iaccounts@ibctech.ca) Received: (qmail 78964 invoked by uid 1002); 28 Jul 2004 16:27:01 -0000 Received: from iaccounts@ibctech.ca by pearl.ibctech.ca by uid 89 with qmail-scanner-1.22 (clamscan: 0.73. spamassassin: 2.63. Clear:RC:1(127.0.0.1):. Processed in 1.23223 secs); 28 Jul 2004 16:27:01 -0000 Received: from unknown (HELO webmail.ibctech.ca) (127.0.0.1) by localhost.ibctech.ca with SMTP; 28 Jul 2004 16:27:00 -0000 Received: from 209.167.16.15 (SquirrelMail authenticated user steve@ibctech.ca); by webmail.ibctech.ca with HTTP; Wed, 28 Jul 2004 12:27:00 -0400 (EDT) Message-ID: <4095.209.167.16.15.1091032020.squirrel@209.167.16.15> In-Reply-To: <200407281713.27154.dgw@liwest.at> References: <200407281452.00859.dgw@liwest.at> <200407281705.42474.dgw@liwest.at> <3983.209.167.16.15.1091031516.squirrel@209.167.16.15> <200407281713.27154.dgw@liwest.at> Date: Wed, 28 Jul 2004 12:27:00 -0400 (EDT) From: "Steve Bertrand" To: dgw@liwest.at User-Agent: SquirrelMail/1.4.3a X-Mailer: SquirrelMail/1.4.3a MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Priority: 3 (Normal) Importance: Normal cc: questions@freebsd.org Subject: Re: Problems after IP change X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 28 Jul 2004 16:26:52 -0000 > On Wednesday 28 July 2004 16:18, Steve Bertrand wrote: >> > On Wednesday 28 July 2004 15:53, Steve Bertrand wrote: >> >> >> I figured so...what happens if you add 'keep-state' to rules >> 20000, >> >> >> 20002 >> >> >> and 20003? >> >> > >> >> > Nothing. >> >> > BTW, here we have the problem: The initial SYN packet isn't matched >> by >> >> > rule >> >> > 11700 (setup keep-state). Setup means the SYN flag is set, right? >> >> >> >> AFAIK, setup means the SYN bit MUST be set. Try these rules: >> >> > add 01900 deny log tcp from any to any in established >> >> >> >> add 2000 allow log all from any to any in via rl1 keep-state >> >> add 2002 allow log all from any to any out via rl0 keep-state >> >> >> >> > So why >> >> > is >> >> > it not matched? If I remove the "setup" keyword to match all >> outgoing >> >> > packets, the SYN/ACK from the server is still denied by rule 01900. >> >> >> >> I'll go over the ruleset again here and see if I can find a misplaced >> >> 'out' or 'in'. >> > >> > Now it is getting funny. I played around with the ruleset, adding and >> > removing >> > count log rules. Suddenly it worked. I removed all extra count log >> rules, >> > and >> > compared the resulting ruleset file with the backup I made before. >> > Nothing changed! Was that a bug? >> >> I'd like to see the difference. Could you post this output? (The >> contents >> of rules.patch). >> >> # diff orig_rules_file new_rules_file > rules.patch > > Nothing! That produces an empty file. Well, at least it's working. I have no idea what the problem could of been. :o) Steve > > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to > "freebsd-questions-unsubscribe@freebsd.org" >