Date: Wed, 28 Jul 2004 12:18:36 -0400 (EDT) From: "Steve Bertrand" <iaccounts@ibctech.ca> To: dgw@liwest.at Cc: questions@freebsd.org Subject: Re: Problems after IP change Message-ID: <3983.209.167.16.15.1091031516.squirrel@209.167.16.15> In-Reply-To: <200407281705.42474.dgw@liwest.at> References: <200407281452.00859.dgw@liwest.at> <200407281637.23563.dgw@liwest.at> <3816.209.167.16.15.1091029989.squirrel@209.167.16.15> <200407281705.42474.dgw@liwest.at>
next in thread | previous in thread | raw e-mail | index | archive | help
> On Wednesday 28 July 2004 15:53, Steve Bertrand wrote: >> >> I figured so...what happens if you add 'keep-state' to rules 20000, >> >> 20002 >> >> and 20003? >> > >> > Nothing. >> > BTW, here we have the problem: The initial SYN packet isn't matched by >> > rule >> > 11700 (setup keep-state). Setup means the SYN flag is set, right? >> >> AFAIK, setup means the SYN bit MUST be set. Try these rules: >> > add 01900 deny log tcp from any to any in established >> >> add 2000 allow log all from any to any in via rl1 keep-state >> add 2002 allow log all from any to any out via rl0 keep-state >> >> > So why >> > is >> > it not matched? If I remove the "setup" keyword to match all outgoing >> > packets, the SYN/ACK from the server is still denied by rule 01900. >> >> I'll go over the ruleset again here and see if I can find a misplaced >> 'out' or 'in'. > > Now it is getting funny. I played around with the ruleset, adding and > removing > count log rules. Suddenly it worked. I removed all extra count log rules, > and > compared the resulting ruleset file with the backup I made before. Nothing > changed! Was that a bug? I'd like to see the difference. Could you post this output? (The contents of rules.patch). # diff orig_rules_file new_rules_file > rules.patch Steve > > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to > "freebsd-questions-unsubscribe@freebsd.org" >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3983.209.167.16.15.1091031516.squirrel>