Date: Thu, 3 Apr 2008 16:39:54 +0200 (CEST) From: Erik Norgaard <norgaard@math.ku.dk> To: questions@freebsd.org Subject: Re: packet filter does not keep state Message-ID: <alpine.LSU.1.00.0804031632020.13782@shannon.math.ku.dk> In-Reply-To: <alpine.LSU.1.00.0804021600290.1425@shannon.math.ku.dk> References: <alpine.LSU.1.00.0804021600290.1425@shannon.math.ku.dk>
next in thread | previous in thread | raw e-mail | index | archive | help
I have investigated further: The state table adds this entry: all tcp 192.168.0.254:80 <- 172.17.1.254:50186 CLOSED:SYN_SENT Which I suppose reflect the fact that the packet is blocked - I don't know how to capture the state table after the packet is passed on the way in, but before it is blocked on the way out. Regarding the bad header, it is interesting, that the header is fine on the way in! I had "scrub in all" which I changed to "scrub all", but no difference. Have I found a bug? I'm running FreeBSD 7.0-STABLE #0: Fri Feb 29 19:44:34 CET 2008 - custom kernel As for NAT, there should be no problem, NAT is not applied since I am connecting between directly connected local networks. I have no problem accessing the Internet where NAT is applied btw (packets are passed by different rules on the way in, and NAT is applied after the out-rules above anyway). Anyway, FYI: This is my NAT rule: nat on $srv_if from $wlan_net to !<local_net> -> $srv_if Regarding the "quick" Vinicius: There is no point in removing that rule: First, as you see the pass in rules also have "quick" and take effect before as the log shows. On the out rules: Since I have keep state in the "in" rule a state should be created by the in rule it should not be filtered by any out rules. Yet this does not happen. As I mention in the OP I can add a rule for out, but this is not how it's supposed to work. Thanks, Erik
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?alpine.LSU.1.00.0804031632020.13782>