From owner-freebsd-questions@FreeBSD.ORG Wed Jul 28 15:19:12 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1224216A4CE for ; Wed, 28 Jul 2004 15:19:12 +0000 (GMT) Received: from lilzmailso02.liwest.at (lilzmailso02.liwest.at [212.33.55.24]) by mx1.FreeBSD.org (Postfix) with ESMTP id BF2F743D62 for ; Wed, 28 Jul 2004 15:19:11 +0000 (GMT) (envelope-from dgw@liwest.at) Received: from cm248-230.liwest.at ([81.10.248.230]) by lilzmailso02.liwest.at with esmtp (Exim 4.24) id 1BpqCo-0006I3-R2; Wed, 28 Jul 2004 17:18:58 +0200 From: Daniela To: "Steve Bertrand" Date: Wed, 28 Jul 2004 16:11:09 +0000 User-Agent: KMail/1.5.3 References: <200407281452.00859.dgw@liwest.at> <200407281548.17563.dgw@liwest.at> <3600.209.167.16.15.1091027170.squirrel@209.167.16.15> In-Reply-To: <3600.209.167.16.15.1091027170.squirrel@209.167.16.15> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200407281611.09200.dgw@liwest.at> cc: questions@freebsd.org Subject: Re: Problems after IP change X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: dgw@liwest.at List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 28 Jul 2004 15:19:12 -0000 On Wednesday 28 July 2004 15:06, Steve Bertrand wrote: > > On Wednesday 28 July 2004 14:49, Steve Bertrand wrote: > >> >> Also, post the relevant ``natd'' line entries in your /etc/natd.conf > >> >> file. > >> > > >> > natd.conf doesn't exist. Do you mean rc.conf? Here it is: > >> > natd_interface="rl0" > >> > natd_enable="YES" > >> > > >> > But I didn't change anything here, and it always worked. > >> > >> Indeed, I did mean rc.conf...sorry ;o) > >> > >> Now would be a good time to post your fw ruleset. > > > > add 00300 divert 8668 ip from any to any > > add 01300 unreach port tcp from any to any 6699 > > add 01400 allow log all from any to any via lo0 > > add 01600 check-state > > Well, I would hate to do this, but for testing purposes, add a rule (very > briefly)... > > > add 00300 divert 8668 ip from any to any > > add 01300 unreach port tcp from any to any 6699 > > add 01400 allow log all from any to any via lo0 > > add 1500 allow log logamount 1000 all from any to any > > and check to see if things are working. Your security log file may > indicate where traffic is going whether it is or not. Yes, it works, but of course I can't leave this rule in all the time. The SYN/ACK packet that comes back from the remote server is denied by rule 01900. But it should be allowed by the check-state rule. > Also, I know you haven't changed anything, but what does the output from > this command state?: > > # sysctl net.inet.ip.forwarding It is set to 1. I changed this a long time ago.