Date: Mon, 8 Apr 2002 12:37:48 -0700 (PDT) From: Joe Barbish <barbish@a1poweruser.com> To: freebsd-gnats-submit@FreeBSD.org Subject: kern/36895: natd does not function correctly when ipfw rules use check-state/keep-state Message-ID: <200204081937.g38JbmH21424@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 36895
>Category: kern
>Synopsis: natd does not function correctly when ipfw rules use check-state/keep-state
>Confidential: no
>Severity: critical
>Priority: high
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Mon Apr 08 12:40:01 PDT 2002
>Closed-Date:
>Last-Modified:
>Originator: Joe Barbish
>Release: 4.4 Release
>Organization:
n/a
>Environment:
>Description:
I have an ipfw firewall rule set that exclusively uses the advaniced
statefull keep-state option. Rule set functions correctly (ie: dynamic
rules get build) when I use the nat feature of user ppp.
When I compile the ipdivert option
into the kernel, enable the divert options in rc.conf, and add the
divert rule to the ipfw rules, my ipfw firewall stops working. All the packets get rejected by the default deny everything rule at the end of
the rule set. If I use stateless and simpile stateful rules instead of
advaniced statefull rules then the divert rule works ok.
Acts like the divert function packet handoff to natd has a problem when
the new keep-state option is used.
>How-To-Repeat:
Build your own keep-state rule set and test.
>Fix:
>Release-Note:
>Audit-Trail:
>Unformatted:
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200204081937.g38JbmH21424>