From owner-freebsd-current Sun Jul 7 14:46:28 2002 Delivered-To: freebsd-current@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 14ED437B400 for ; Sun, 7 Jul 2002 14:46:26 -0700 (PDT) Received: from ns0.seaman.net (ns0.seaman.net [168.215.64.186]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2819543E31 for ; Sun, 7 Jul 2002 14:46:24 -0700 (PDT) (envelope-from dick@seaman.org) Received: from tbird.internal.seaman.net (tbird [192.168.10.12]) by ns0.seaman.net (8.12.5/8.12.5) with ESMTP id g67LjrcK037585; Sun, 7 Jul 2002 16:45:53 -0500 (CDT) (envelope-from dick@seaman.org) Received: (from dick@localhost) by tbird.internal.seaman.net (8.11.6/8.11.6) id g67LjqR22374; Sun, 7 Jul 2002 16:45:52 -0500 Date: Sun, 7 Jul 2002 16:45:52 -0500 From: "Richard Seaman, Jr." To: Szilveszter Adam Cc: freebsd-current@FreeBSD.ORG Subject: Re: problems with natd, ipfw Message-ID: <20020707164552.P3283@seaman.org> Mail-Followup-To: "Richard Seaman, Jr." , Szilveszter Adam , freebsd-current@FreeBSD.ORG References: <20020707213546.GA743@fonix.adamsfamily.xx> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <20020707213546.GA743@fonix.adamsfamily.xx>; from sziszi@bsd.hu on Sun, Jul 07, 2002 at 11:35:46PM +0200 Sender: owner-freebsd-current@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Sun, Jul 07, 2002 at 11:35:46PM +0200, Szilveszter Adam wrote: > Hello everybody, > > I upgraded to yesterday's -CURRENT and have made a few observations: > 2) and much more alarmingly: Although the new ipfw really seems to > process the ruleset faster, some rules appear to do nothing! I > have a "default-to-deny" setup, so theoretically this should mean that I > should be cut off from the net if the allow rules do not work. And > indeed, flushing all rules gives the expected behaviour. But as soon as > I load the ruleset file (which is the same as previously and then it > worked as expected) the fw becomes wide-open, the only rules that appear > to work are the divert for natd, and the allow rules. But the deny rules > do nothing, it seems that even the "catch-all" implicit deny rule at the > bottom does nothing. Am I going insane, or is this real? Don't know. But, I do know that logging seemed to be messed up. My old ruleset only logged a few rules, and after upgrading I seemed to get a log entry for every packet. It was so overwhelming that I didn't even try to analyze it. Since I needed natd on the machine in question, I just reverted all the new ipfw code, and haven't spent much time at it. > Also, I have observed that when loading the rules from the ruleset file, > ipfw prints two lines for each, one with the expected rule number and > one with all zeros. I don't know if it's significant though. > > It is like this: > > 00000 deny log ip from any to any > 03600 deny log ip from any to any Yes, I saw this. However, 'ipfw l' doesn't include a 00000 rule, and the rule list appears correct. -- Richard Seaman, Jr. email: dick@seaman.org 5182 N. Maple Lane phone: 262-367-5450 Nashotah WI 53058 fax: 262-367-5852 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-current" in the body of the message