Date: Wed, 1 Dec 1999 16:33:39 -0800 (PST) From: Archie Cobbs <archie@whistle.com> To: gnb@itga.com.au (Gregory Bond) Cc: freebsd-ipfw@FreeBSD.ORG Subject: Re: ipfw and ip aliases not working? Message-ID: <199912020033.QAA45418@bubba.whistle.com> In-Reply-To: <199912012244.JAA01083@lightning.itga.com.au> from Gregory Bond at "Dec 2, 1999 09:44:55 am"
next in thread | previous in thread | raw e-mail | index | archive | help
Gregory Bond writes: > 15800 0 0 allow tcp from any to 203.53.40.210 via fxp0 setup > 15900 0 0 allow tcp from 203.53.40.210 to any via fxp0 setup > > 29000 2 80 deny log tcp from any to any setup > > As you can see, this works for the 192.83 address, but does not work for the > 203.53 address, and I get kernel messages like: > > Dec 2 09:16:06 ns /kernel: ipfw: 29000 Deny TCP 192.160.13.9:4251 202.53.40.210:25 in via fxp0 > Dec 2 09:16:11 ns /kernel: ipfw: 29000 Deny TCP 192.160.13.9:4251 202.53.40.210:25 in via fxp0 > > But AFAICT this error message exactly matches rule 15800! What happening is that you're receiving non-zero offset fragments of TCP packets, in which case rule 15800 does not apply because of the 'setup' keyword. So they don't match until rule 29000. -Archie ___________________________________________________________________________ Archie Cobbs * Whistle Communications, Inc. * http://www.whistle.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199912020033.QAA45418>