Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 22 Mar 2001 15:46:04 +0000
From:      Antony T Curtis <antony@abacus.co.uk>
To:        abgoeree@uwnet.nl
Cc:        stable@FreeBSD.ORG
Subject:   Re: ipfw stateful filtering
Message-ID:  <3ABA1E3C.B3010B12@abacus.co.uk>
References:  <20010322164215.A20386@mandark.attica.home>
next in thread | previous in thread | raw e-mail | index | archive | help 
Andre Goeree wrote:
> 
> Hello,
> 
> I'm experimenting a little with stateful filtering.
> Somehow it doesn't work like i expect; output of "ipfw show":
> 
> 00100    0      0 check-state
> 00200 2874 690508 allow ip from any to any via lo0
> [snip address checking rules]
> 02100    0      0 deny tcp from any to any via tun* established
> 02200  890 308516 allow tcp from any 4000-5000 to any keep-state out xmit tun* setup
> [snip local network rules]
> ## Dynamic rules:
> 02200 889 308472 (T 0, # 176) ty 0 tcp, XXX.XXX.XXX.XXX 4025 <-> XXX.XXX.XXX.XXX 110
> 
> It appears that the check-state rule never matches..
> Am i overlooking something?

Do you have a divert somewhere in-between to natd? I think you'd need a
check-state after that.


> --Andre.
> 
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-stable" in the body of the message

-- 
ANTONY T CURTIS                     Tel: +44 (1635) 36222
Abacus Polar Holdings Ltd           Fax: +44 (1635) 38670
> BOO!  We changed Coke again!  BLEAH!  BLEAH!

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3ABA1E3C.B3010B12>