From owner-freebsd-ipfw  Sun Jan 16 16:22:31 2000
Delivered-To: freebsd-ipfw@freebsd.org
Received: from altair.origenbio.com (altair.origenbio.com [216.30.62.130])
	by hub.freebsd.org (Postfix) with ESMTP id 3259D14D98
	for <freebsd-ipfw@FreeBSD.ORG>; Sun, 16 Jan 2000 16:22:29 -0800 (PST)
	(envelope-from dmartin@origen.com)
Received: from origen.com (dubhe.origen [192.168.0.5])
	by altair.origenbio.com (8.9.3/8.9.3) with ESMTP id SAA33159
	for <freebsd-ipfw@FreeBSD.ORG>; Sun, 16 Jan 2000 18:22:28 -0600 (CST)
	(envelope-from dmartin@origen.com)
Message-ID: <3882608D.E77903EE@origen.com>
Date: Sun, 16 Jan 2000 18:21:33 -0600
From: Richard Martin <dmartin@origen.com>
X-Mailer: Mozilla 4.6 [en] (WinNT; I)
X-Accept-Language: en
MIME-Version: 1.0
To: freebsd-ipfw@FreeBSD.ORG
Subject: loss of setup option in ipfw
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-ipfw@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

I am setting up a new server with ipfw packet filtering and I have a couple of
questions about some quirks.  

First, I cannot now use the 'setup' option for TCP packets.  Whether the line
is in the script or entered at the command line, if it has 'setup' in the
option position, the rule fails.  

I have added a few ports since I first set up the firewall - Tripwire, LSOF, a
few others- and somewhere along the way, something seems to have affected
ipfw, because it was working OK before. Now when the script runs, even at
reboot, the firewall lines with 'setup' at the end fail. A TCP rule with setup
entered at the command line fails, but removing 'setup' allows it to be added
to the chain. 

************

Second, I have noticed that replies packets coming our of our LAN (like ftp
data) behind the firewall are addressed back to the internal LAN IPs. This is
odd: other NAT/masquerading systems I have used have the replies come back to
the external IP and a table is kept for replies to rout the packets back to
the right address.  

Do I have something misconfigured. or is this just the way NATD works in
F'BSD? 

Thanks


-- 
Richard Martin       dmartin@origen.com

OriGen Biomedical    Tel: +1 512 474 7278
2525 Hartford Rd.    Fax: +1 512 708 8522
Austin, TX 78703     http://www.formed.net


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ipfw" in the body of the message