From owner-freebsd-questions@FreeBSD.ORG Wed Jul 28 16:21:28 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D459416A4CE for ; Wed, 28 Jul 2004 16:21:28 +0000 (GMT) Received: from lilzmailso02.liwest.at (lilzmailso02.liwest.at [212.33.55.24]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9893243D3F for ; Wed, 28 Jul 2004 16:21:28 +0000 (GMT) (envelope-from dgw@liwest.at) Received: from cm248-230.liwest.at ([81.10.248.230]) by lilzmailso02.liwest.at with esmtp (Exim 4.24) id 1BprB5-0007Od-Uw; Wed, 28 Jul 2004 18:21:15 +0200 From: Daniela To: "Steve Bertrand" Date: Wed, 28 Jul 2004 17:13:27 +0000 User-Agent: KMail/1.5.3 References: <200407281452.00859.dgw@liwest.at> <200407281705.42474.dgw@liwest.at> <3983.209.167.16.15.1091031516.squirrel@209.167.16.15> In-Reply-To: <3983.209.167.16.15.1091031516.squirrel@209.167.16.15> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200407281713.27154.dgw@liwest.at> cc: questions@freebsd.org Subject: Re: Problems after IP change X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: dgw@liwest.at List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 28 Jul 2004 16:21:29 -0000 On Wednesday 28 July 2004 16:18, Steve Bertrand wrote: > > On Wednesday 28 July 2004 15:53, Steve Bertrand wrote: > >> >> I figured so...what happens if you add 'keep-state' to rules 20000, > >> >> 20002 > >> >> and 20003? > >> > > >> > Nothing. > >> > BTW, here we have the problem: The initial SYN packet isn't matched by > >> > rule > >> > 11700 (setup keep-state). Setup means the SYN flag is set, right? > >> > >> AFAIK, setup means the SYN bit MUST be set. Try these rules: > >> > add 01900 deny log tcp from any to any in established > >> > >> add 2000 allow log all from any to any in via rl1 keep-state > >> add 2002 allow log all from any to any out via rl0 keep-state > >> > >> > So why > >> > is > >> > it not matched? If I remove the "setup" keyword to match all outgoing > >> > packets, the SYN/ACK from the server is still denied by rule 01900. > >> > >> I'll go over the ruleset again here and see if I can find a misplaced > >> 'out' or 'in'. > > > > Now it is getting funny. I played around with the ruleset, adding and > > removing > > count log rules. Suddenly it worked. I removed all extra count log rules, > > and > > compared the resulting ruleset file with the backup I made before. > > Nothing changed! Was that a bug? > > I'd like to see the difference. Could you post this output? (The contents > of rules.patch). > > # diff orig_rules_file new_rules_file > rules.patch Nothing! That produces an empty file.