From owner-freebsd-current Sun Jul 7 15: 2:46 2002 Delivered-To: freebsd-current@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 71BA537B400 for ; Sun, 7 Jul 2002 15:02:43 -0700 (PDT) Received: from ns0.seaman.net (ns0.seaman.net [168.215.64.186]) by mx1.FreeBSD.org (Postfix) with ESMTP id 78E6443E31 for ; Sun, 7 Jul 2002 15:02:42 -0700 (PDT) (envelope-from dick@seaman.org) Received: from tbird.internal.seaman.net (tbird [192.168.10.12]) by ns0.seaman.net (8.12.5/8.12.5) with ESMTP id g67M2QcK037697; Sun, 7 Jul 2002 17:02:26 -0500 (CDT) (envelope-from dick@seaman.org) Received: (from dick@localhost) by tbird.internal.seaman.net (8.11.6/8.11.6) id g67M2QM22508; Sun, 7 Jul 2002 17:02:26 -0500 Date: Sun, 7 Jul 2002 17:02:26 -0500 From: "Richard Seaman, Jr." To: Szilveszter Adam Cc: freebsd-current@FreeBSD.ORG Subject: Re: problems with natd, ipfw Message-ID: <20020707170226.Q3283@seaman.org> Mail-Followup-To: "Richard Seaman, Jr." , Szilveszter Adam , freebsd-current@FreeBSD.ORG References: <20020707213546.GA743@fonix.adamsfamily.xx> <20020707164552.P3283@seaman.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <20020707164552.P3283@seaman.org>; from dick@seaman.org on Sun, Jul 07, 2002 at 04:45:52PM -0500 Sender: owner-freebsd-current@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Sun, Jul 07, 2002 at 04:45:52PM -0500, Richard Seaman, Jr. wrote: > On Sun, Jul 07, 2002 at 11:35:46PM +0200, Szilveszter Adam wrote: > > Hello everybody, > > > > I upgraded to yesterday's -CURRENT and have made a few observations: > > > 2) and much more alarmingly: Although the new ipfw really seems to > > process the ruleset faster, some rules appear to do nothing! I > > have a "default-to-deny" setup, so theoretically this should mean that I > > should be cut off from the net if the allow rules do not work. And > > indeed, flushing all rules gives the expected behaviour. But as soon as > > I load the ruleset file (which is the same as previously and then it > > worked as expected) the fw becomes wide-open, the only rules that appear > > to work are the divert for natd, and the allow rules. But the deny rules > > do nothing, it seems that even the "catch-all" implicit deny rule at the > > bottom does nothing. Am I going insane, or is this real? > > Don't know. But, I do know that logging seemed to be messed up. My old > ruleset only logged a few rules, and after upgrading I seemed to get a > log entry for every packet. It was so overwhelming that I didn't even > try to analyze it. Since I needed natd on the machine in question, > I just reverted all the new ipfw code, and haven't spent much time at it. I just went back to the old log files, and based on a spot check, the log files do indeed record as "accepted" packets that should have been denied by the ruleset (and which are currently denied without logging using the same ruleset and the "old" ipfw). -- Richard Seaman, Jr. email: dick@seaman.org 5182 N. Maple Lane phone: 262-367-5450 Nashotah WI 53058 fax: 262-367-5852 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-current" in the body of the message