Date: Tue, 9 Apr 2002 00:00:05 -0700 (PDT) From: "Crist J. Clark" <cjc@FreeBSD.org> To: freebsd-bugs@FreeBSD.org Subject: Re: kern/36895: natd does not function correctly when ipfw rules use check-state/keep-state Message-ID: <200204090700.g39705l05540@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
The following reply was made to PR kern/36895; it has been noted by GNATS.
From: "Crist J. Clark" <cjc@FreeBSD.org>
To: Joe Barbish <barbish@a1poweruser.com>
Cc: freebsd-gnats-submit@FreeBSD.org
Subject: Re: kern/36895: natd does not function correctly when ipfw rules use check-state/keep-state
Date: Mon, 8 Apr 2002 23:59:16 -0700
On Mon, Apr 08, 2002 at 12:37:48PM -0700, Joe Barbish wrote:
[snip]
> I have an ipfw firewall rule set that exclusively uses the advaniced
> statefull keep-state option. Rule set functions correctly (ie: dynamic
> rules get build) when I use the nat feature of user ppp.
>
> When I compile the ipdivert option
> into the kernel, enable the divert options in rc.conf, and add the
> divert rule to the ipfw rules, my ipfw firewall stops working. All the packets get rejected by the default deny everything rule at the end of
> the rule set. If I use stateless and simpile stateful rules instead of
> advaniced statefull rules then the divert rule works ok.
>
> Acts like the divert function packet handoff to natd has a problem when
> the new keep-state option is used.
> >How-To-Repeat:
> Build your own keep-state rule set and test.
They work fine for me. Your ruleset, rc.conf(5), ifconfig(8), and
'grep -i ipfw /var/run/dmesg.boot' please?
--
Crist J. Clark | cjclark@alum.mit.edu
| cjclark@jhu.edu
http://people.freebsd.org/~cjc/ | cjc@freebsd.org
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200204090700.g39705l05540>