Date: Thu, 22 Mar 2001 19:06:09 +0100 From: "Andre Goeree" <abgoeree@uwnet.nl> To: Antony T Curtis <antony@abacus.co.uk> Cc: stable@freebsd.org Subject: Re: ipfw stateful filtering Message-ID: <20010322190609.A21540@mandark.attica.home> In-Reply-To: <3ABA1E3C.B3010B12@abacus.co.uk>; from antony@abacus.co.uk on Thu, Mar 22, 2001 at 03:46:04PM %2B0000 References: <20010322164215.A20386@mandark.attica.home> <3ABA1E3C.B3010B12@abacus.co.uk>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, Mar 22, 2001 at 03:46:04PM +0000, Antony T Curtis wrote: > Andre Goeree wrote: > > > > Hello, > > > > I'm experimenting a little with stateful filtering. > > Somehow it doesn't work like i expect; output of "ipfw show": > > > > 00100 0 0 check-state > > 00200 2874 690508 allow ip from any to any via lo0 > > [snip address checking rules] > > 02100 0 0 deny tcp from any to any via tun* established > > 02200 890 308516 allow tcp from any 4000-5000 to any keep-state out xmit tun* setup > > [snip local network rules] > > ## Dynamic rules: > > 02200 889 308472 (T 0, # 176) ty 0 tcp, XXX.XXX.XXX.XXX 4025 <-> XXX.XXX.XXX.XXX 110 > > > > It appears that the check-state rule never matches.. > > Am i overlooking something? > > Do you have a divert somewhere in-between to natd? I think you'd need a > check-state after that. No, basically i followed the examples of the ipfw man page. I don't use any natd or divert rules. --Andre. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010322190609.A21540>