From owner-freebsd-questions@FreeBSD.ORG Wed Jul 28 15:23:11 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7E54216A4D1 for ; Wed, 28 Jul 2004 15:23:11 +0000 (GMT) Received: from pearl.ibctech.ca (dev.eagle.ca [209.167.58.10]) by mx1.FreeBSD.org (Postfix) with ESMTP id C728743D55 for ; Wed, 28 Jul 2004 15:23:10 +0000 (GMT) (envelope-from iaccounts@ibctech.ca) Received: (qmail 72574 invoked by uid 1002); 28 Jul 2004 15:23:22 -0000 Received: from iaccounts@ibctech.ca by pearl.ibctech.ca by uid 89 with qmail-scanner-1.22 (clamscan: 0.73. spamassassin: 2.63. Clear:RC:1(127.0.0.1):. Processed in 1.457877 secs); 28 Jul 2004 15:23:22 -0000 Received: from unknown (HELO webmail.ibctech.ca) (127.0.0.1) by localhost.ibctech.ca with SMTP; 28 Jul 2004 15:23:20 -0000 Received: from 209.167.16.15 (SquirrelMail authenticated user steve@ibctech.ca); by webmail.ibctech.ca with HTTP; Wed, 28 Jul 2004 11:23:20 -0400 (EDT) Message-ID: <3652.209.167.16.15.1091028200.squirrel@209.167.16.15> Date: Wed, 28 Jul 2004 11:23:20 -0400 (EDT) From: "Steve Bertrand" To: dgw@liwest.at User-Agent: SquirrelMail/1.4.3a X-Mailer: SquirrelMail/1.4.3a MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Priority: 3 (Normal) Importance: Normal References: <200407281452.00859.dgw@liwest.at> <200407281548.17563.dgw@liwest.at> <3600.209.167.16.15.1091027170.squirrel@209.167.16.15> <200407281611.09200.dgw@liwest.at> In-Reply-To: <200407281611.09200.dgw@liwest.at> cc: questions@freebsd.org Subject: Re: Problems after IP change X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 28 Jul 2004 15:23:11 -0000 > On Wednesday 28 July 2004 15:06, Steve Bertrand wrote: >> > On Wednesday 28 July 2004 14:49, Steve Bertrand wrote: >> >> >> Also, post the relevant ``natd'' line entries in your >> /etc/natd.conf >> >> >> file. >> >> > >> >> > natd.conf doesn't exist. Do you mean rc.conf? Here it is: >> >> > natd_interface="rl0" >> >> > natd_enable="YES" >> >> > >> >> > But I didn't change anything here, and it always worked. >> >> >> >> Indeed, I did mean rc.conf...sorry ;o) >> >> >> >> Now would be a good time to post your fw ruleset. >> > >> > add 00300 divert 8668 ip from any to any >> > add 01300 unreach port tcp from any to any 6699 >> > add 01400 allow log all from any to any via lo0 >> > add 01600 check-state >> Well, I would hate to do this, but for testing purposes, add a rule (very >> briefly)... >> > add 00300 divert 8668 ip from any to any >> > add 01300 unreach port tcp from any to any 6699 >> > add 01400 allow log all from any to any via lo0 >> add 1500 allow log logamount 1000 all from any to any >> and check to see if things are working. Your security log file may indicate where traffic is going whether it is or not. > > Yes, it works, but of course I can't leave this rule in all the time. The SYN/ACK packet that comes back from the remote server is denied by rule > 01900. But it should be allowed by the check-state rule. > >> Also, I know you haven't changed anything, but what does the output from >> this command state?: >> # sysctl net.inet.ip.forwarding > > It is set to 1. I changed this a long time ago. I figured so...what happens if you add 'keep-state' to rules 20000, 20002 and 20003? Steve > >