Date: Wed, 28 Jul 2004 17:05:42 +0000 From: Daniela <dgw@liwest.at> To: "Steve Bertrand" <iaccounts@ibctech.ca> Cc: questions@freebsd.org Subject: Re: Problems after IP change Message-ID: <200407281705.42474.dgw@liwest.at> In-Reply-To: <3816.209.167.16.15.1091029989.squirrel@209.167.16.15> References: <200407281452.00859.dgw@liwest.at> <200407281637.23563.dgw@liwest.at> <3816.209.167.16.15.1091029989.squirrel@209.167.16.15>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wednesday 28 July 2004 15:53, Steve Bertrand wrote: > >> I figured so...what happens if you add 'keep-state' to rules 20000, > >> 20002 > >> and 20003? > > > > Nothing. > > BTW, here we have the problem: The initial SYN packet isn't matched by > > rule > > 11700 (setup keep-state). Setup means the SYN flag is set, right? > > AFAIK, setup means the SYN bit MUST be set. Try these rules: > > add 01900 deny log tcp from any to any in established > > add 2000 allow log all from any to any in via rl1 keep-state > add 2002 allow log all from any to any out via rl0 keep-state > > > So why > > is > > it not matched? If I remove the "setup" keyword to match all outgoing > > packets, the SYN/ACK from the server is still denied by rule 01900. > > I'll go over the ruleset again here and see if I can find a misplaced > 'out' or 'in'. Now it is getting funny. I played around with the ruleset, adding and removing count log rules. Suddenly it worked. I removed all extra count log rules, and compared the resulting ruleset file with the backup I made before. Nothing changed! Was that a bug?
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200407281705.42474.dgw>