Date: Mon, 8 Apr 2002 12:37:48 -0700 (PDT) From: Joe Barbish <barbish@a1poweruser.com> To: freebsd-gnats-submit@FreeBSD.org Subject: kern/36895: natd does not function correctly when ipfw rules use check-state/keep-state Message-ID: <200204081937.g38JbmH21424@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 36895 >Category: kern >Synopsis: natd does not function correctly when ipfw rules use check-state/keep-state >Confidential: no >Severity: critical >Priority: high >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Mon Apr 08 12:40:01 PDT 2002 >Closed-Date: >Last-Modified: >Originator: Joe Barbish >Release: 4.4 Release >Organization: n/a >Environment: >Description: I have an ipfw firewall rule set that exclusively uses the advaniced statefull keep-state option. Rule set functions correctly (ie: dynamic rules get build) when I use the nat feature of user ppp. When I compile the ipdivert option into the kernel, enable the divert options in rc.conf, and add the divert rule to the ipfw rules, my ipfw firewall stops working. All the packets get rejected by the default deny everything rule at the end of the rule set. If I use stateless and simpile stateful rules instead of advaniced statefull rules then the divert rule works ok. Acts like the divert function packet handoff to natd has a problem when the new keep-state option is used. >How-To-Repeat: Build your own keep-state rule set and test. >Fix: >Release-Note: >Audit-Trail: >Unformatted: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200204081937.g38JbmH21424>