Date: Thu, 25 Oct 2001 19:22:30 -0500 From: Mike Meyer <mwm@mired.org> To: Rogier Steehouder <r.j.s@gmx.net> Cc: questions@freebsd.org Subject: Re: can't get stateful ipfw working... Message-ID: <15320.44230.677241.804365@guru.mired.org> In-Reply-To: <4998109@toto.iv>
next in thread | previous in thread | raw e-mail | index | archive | help
Rogier Steehouder <r.j.s@gmx.net> types: > On 22-10-2001 21:43 (-0400), David Hill wrote: Arrgh. The digester ate David's address. Rogier, if you still have it, could you forward it to him? > > Hello - > > Implementing the following ipfw ruleset allows nothing to work. > > The nat'd machines can't access the gateway, nor the internet > > > > What am I doing wrong? > > > $fwcmd add 500 check-state > > $fwcmd add 510 deny tcp from any to any in established > > $fwcmd add 520 allow tcp from any to any keep-state setup > > I don't know for sure, but maybe the stateful rule includes the setup > option and refuses anything but setup packets. Try removing that since > it's quite useless here anyway. His rules look almost exactly like what the man page suggests for dealing with flood attacks. There are two difference: 1) Rule 510 only denies incoming fake packets. Probably immaterial. 2) Rule 520 uses "keep-state setup" instead of "setup keep-state". Since keep-state takes an optional method, that may be confusing the parser, and hence the rule actually implemented. I'd try swapping that. <mike -- Mike Meyer <mwm@mired.org> http://www.mired.org/home/mwm/ Q: How do you make the gods laugh? A: Tell them your plans. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?15320.44230.677241.804365>