From owner-freebsd-current Sun Jul 7 14:35:59 2002 Delivered-To: freebsd-current@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5AE8837B487 for ; Sun, 7 Jul 2002 14:35:49 -0700 (PDT) Received: from mx2.datanet.hu (mx2.datanet.hu [194.149.13.163]) by mx1.FreeBSD.org (Postfix) with ESMTP id CA78143E4A for ; Sun, 7 Jul 2002 14:35:48 -0700 (PDT) (envelope-from sziszi@bsd.hu) Received: from fonix.adamsfamily.xx (nilus-1635.adsl.datanet.hu [195.56.94.111]) by mx2.datanet.hu (DataNet) with ESMTP id 738B358A3 for ; Sun, 7 Jul 2002 23:35:47 +0200 (CEST) Received: from fonix.adamsfamily.xx (localhost [127.0.0.1]) by fonix.adamsfamily.xx (8.12.5/8.12.5) with ESMTP id g67LZkMM000886 for ; Sun, 7 Jul 2002 23:35:46 +0200 (CEST) (envelope-from sziszi@bsd.hu) Received: (from cc@localhost) by fonix.adamsfamily.xx (8.12.5/8.12.5/Submit) id g67LZkwp000885 for freebsd-current@freebsd.org; Sun, 7 Jul 2002 23:35:46 +0200 (CEST) X-Authentication-Warning: fonix.adamsfamily.xx: cc set sender to sziszi@bsd.hu using -f Date: Sun, 7 Jul 2002 23:35:46 +0200 From: Szilveszter Adam To: freebsd-current@freebsd.org Subject: problems with natd, ipfw Message-ID: <20020707213546.GA743@fonix.adamsfamily.xx> Mail-Followup-To: Szilveszter Adam , freebsd-current@freebsd.org Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.5.1i Sender: owner-freebsd-current@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Hello everybody, I upgraded to yesterday's -CURRENT and have made a few observations: 1) The natd does not work. This is known, but I have tracked it to its interaction with libalias, which means that any program that uses libalias functions is also affected (and indeed, ppp(8)'s -nat option does not work either). If I downgrade the file src/sys/netinet/ip_fw.h to the version from June 27, and recompile libalias and natd, things will work. 2) and much more alarmingly: Although the new ipfw really seems to process the ruleset faster, some rules appear to do nothing! I have a "default-to-deny" setup, so theoretically this should mean that I should be cut off from the net if the allow rules do not work. And indeed, flushing all rules gives the expected behaviour. But as soon as I load the ruleset file (which is the same as previously and then it worked as expected) the fw becomes wide-open, the only rules that appear to work are the divert for natd, and the allow rules. But the deny rules do nothing, it seems that even the "catch-all" implicit deny rule at the bottom does nothing. Am I going insane, or is this real? Also, I have observed that when loading the rules from the ruleset file, ipfw prints two lines for each, one with the expected rule number and one with all zeros. I don't know if it's significant though. It is like this: 00000 deny log ip from any to any 03600 deny log ip from any to any This did not happen previously... -- Regards: Szilveszter ADAM Szombathely Hungary To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-current" in the body of the message