Date: Thu, 14 Feb 2002 12:43:44 -0800 From: Michael Sierchio <kudzu@tenebras.com> To: Luigi Rizzo <rizzo@icir.org> Cc: freebsd-ipfw@FreeBSD.ORG, freebsd-net@FreeBSD.ORG Subject: Re: Bug in stateful code? Message-ID: <3C6C2180.3020704@tenebras.com> References: <3C6BE90D.3020108@tenebras.com> <20020214093647.A57238@iguana.icir.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Luigi Rizzo wrote: > the reply was that keep-state and natd are very hard to use > together, and besides it is rather useless because natd is stateful > by itself. natd is stateful, but provides no protection for inbound IP traffic that is destined for the filtering host itself. The ruleset *is* particularly useful, since the host in question is both a router for nat'd hosts and a dns and mail server. I'd like to preserve stateful filtering rules for packets that originate at and are destined for the host itself. > ..., i do not feel like spending > an hour or two trying to infer what is on your [some static rules], > and i'll happily leave you the job to explain where the bug (which > means reconstruct the flow of packets in and out of the ipfw and > show which one is dealt in the wrong way). I'd be happy to share the static rules -- and AFAIK I did give a hint as to what the problem is. What kind of evidence do you want, in particular? I have a tcpdump that shows the packet exchange, shows SYN from each host, and demonstrates that the dynamic rule is in the wrong state, using the wrong timer. This could easily have something to do with the interaction of ipfw and natd, but I'm just reporting the observable phenomena. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3C6C2180.3020704>