Date: Sun, 7 Jul 2002 16:45:52 -0500 From: "Richard Seaman, Jr." <dick@seaman.org> To: Szilveszter Adam <sziszi@bsd.hu> Cc: freebsd-current@FreeBSD.ORG Subject: Re: problems with natd, ipfw Message-ID: <20020707164552.P3283@seaman.org> In-Reply-To: <20020707213546.GA743@fonix.adamsfamily.xx>; from sziszi@bsd.hu on Sun, Jul 07, 2002 at 11:35:46PM %2B0200 References: <20020707213546.GA743@fonix.adamsfamily.xx>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sun, Jul 07, 2002 at 11:35:46PM +0200, Szilveszter Adam wrote: > Hello everybody, > > I upgraded to yesterday's -CURRENT and have made a few observations: > 2) and much more alarmingly: Although the new ipfw really seems to > process the ruleset faster, some rules appear to do nothing! I > have a "default-to-deny" setup, so theoretically this should mean that I > should be cut off from the net if the allow rules do not work. And > indeed, flushing all rules gives the expected behaviour. But as soon as > I load the ruleset file (which is the same as previously and then it > worked as expected) the fw becomes wide-open, the only rules that appear > to work are the divert for natd, and the allow rules. But the deny rules > do nothing, it seems that even the "catch-all" implicit deny rule at the > bottom does nothing. Am I going insane, or is this real? Don't know. But, I do know that logging seemed to be messed up. My old ruleset only logged a few rules, and after upgrading I seemed to get a log entry for every packet. It was so overwhelming that I didn't even try to analyze it. Since I needed natd on the machine in question, I just reverted all the new ipfw code, and haven't spent much time at it. > Also, I have observed that when loading the rules from the ruleset file, > ipfw prints two lines for each, one with the expected rule number and > one with all zeros. I don't know if it's significant though. > > It is like this: > > 00000 deny log ip from any to any > 03600 deny log ip from any to any Yes, I saw this. However, 'ipfw l' doesn't include a 00000 rule, and the rule list appears correct. -- Richard Seaman, Jr. email: dick@seaman.org 5182 N. Maple Lane phone: 262-367-5450 Nashotah WI 53058 fax: 262-367-5852 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-current" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020707164552.P3283>