Date: Wed, 28 Jul 2004 16:37:23 +0000 From: Daniela <dgw@liwest.at> To: "Steve Bertrand" <iaccounts@ibctech.ca> Cc: questions@freebsd.org Subject: Re: Problems after IP change Message-ID: <200407281637.23563.dgw@liwest.at> In-Reply-To: <3652.209.167.16.15.1091028200.squirrel@209.167.16.15> References: <200407281452.00859.dgw@liwest.at> <200407281611.09200.dgw@liwest.at> <3652.209.167.16.15.1091028200.squirrel@209.167.16.15>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wednesday 28 July 2004 15:23, Steve Bertrand wrote: > > Yes, it works, but of course I can't leave this rule in all the time. > > The SYN/ACK packet that comes back from the remote server is denied by > rule > > > 01900. But it should be allowed by the check-state rule. > > > >> Also, I know you haven't changed anything, but what does the output > > from > > >> this command state?: > >> # sysctl net.inet.ip.forwarding > > > > It is set to 1. I changed this a long time ago. > > I figured so...what happens if you add 'keep-state' to rules 20000, 20002 > and 20003? Nothing. BTW, here we have the problem: The initial SYN packet isn't matched by rule 11700 (setup keep-state). Setup means the SYN flag is set, right? So why is it not matched? If I remove the "setup" keyword to match all outgoing packets, the SYN/ACK from the server is still denied by rule 01900.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200407281637.23563.dgw>