From owner-freebsd-net Thu Feb 14 12:43:51 2002 Delivered-To: freebsd-net@freebsd.org Received: from laptop.tenebras.com (laptop.tenebras.com [66.92.188.18]) by hub.freebsd.org (Postfix) with SMTP id 07F6B37B417 for ; Thu, 14 Feb 2002 12:43:46 -0800 (PST) Received: (qmail 771 invoked from network); 14 Feb 2002 20:43:44 -0000 Received: from sapphire.tenebras.com (HELO tenebras.com) (66.92.188.241) by 0 with SMTP; 14 Feb 2002 20:43:44 -0000 Message-ID: <3C6C2180.3020704@tenebras.com> Date: Thu, 14 Feb 2002 12:43:44 -0800 From: Michael Sierchio User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:0.9.7) Gecko/20020131 X-Accept-Language: en-us MIME-Version: 1.0 To: Luigi Rizzo Cc: freebsd-ipfw@FreeBSD.ORG, freebsd-net@FreeBSD.ORG Subject: Re: Bug in stateful code? References: <3C6BE90D.3020108@tenebras.com> <20020214093647.A57238@iguana.icir.org> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Luigi Rizzo wrote: > the reply was that keep-state and natd are very hard to use > together, and besides it is rather useless because natd is stateful > by itself. natd is stateful, but provides no protection for inbound IP traffic that is destined for the filtering host itself. The ruleset *is* particularly useful, since the host in question is both a router for nat'd hosts and a dns and mail server. I'd like to preserve stateful filtering rules for packets that originate at and are destined for the host itself. > ..., i do not feel like spending > an hour or two trying to infer what is on your [some static rules], > and i'll happily leave you the job to explain where the bug (which > means reconstruct the flow of packets in and out of the ipfw and > show which one is dealt in the wrong way). I'd be happy to share the static rules -- and AFAIK I did give a hint as to what the problem is. What kind of evidence do you want, in particular? I have a tcpdump that shows the packet exchange, shows SYN from each host, and demonstrates that the dynamic rule is in the wrong state, using the wrong timer. This could easily have something to do with the interaction of ipfw and natd, but I'm just reporting the observable phenomena. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message