Date: Fri, 15 Feb 2002 16:00:00 -0800 From: Michael Sierchio <kudzu@tenebras.com> To: "Aaron D. Gifford" <agifford@infowest.com> Cc: freebsd-net@freebsd.org Subject: Re: Bug in stateful code? Message-ID: <3C6DA100.3080108@tenebras.com> References: <20020215225647.DBAB521CE8@ns1.infowest.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Aaron D. Gifford wrote: > When it hits check-state, while it DOES match the "X.Y.Z.23 1549<-> X.Y.Z.44 > 22" dynamic rule in principal, it FAILS to match because the dynamic rule is > expecting to see a SYN-ACK response from the remote host FIRST (remember, the > SYN-ACK never matched this particular dynamic rule). Thus this dynamic rule > STILL sits, expecting SYN-ACK. > > Since no further rules match, if you default to deny, your ACK packet gets > dropped/denied. > > Is this the behavior you are seeing? The packet is never dropped, it's just that -- as Crist previously pointed out -- it matches an earlier rule, so it never changes the state of the dynamic rule in question. It's sometimes useful to use 'add count' rules before and after 'divert natd' to see what's happening. > If anyone is interested, I'd be happy to post my ipfw rules I use at home. I > have a single Internet visible IP and a few hosts translated sitting behind > it on a broadband connection. I elected to try Chris Dillon's suggestion, since I have two IPs on my external interface, and can dedicate one to NAT and use stateful rules on the other -- with the minor complication that this host is running both tinydns and dnscache (the latter for my own hosts), and so I still need a few allow rules before 'divert natd' -- all of which seem straightforward now. All of this mess was the result of changing ISPs and having, instead of a nice little /29 subnet, discontiguous addresses on a bridged SDSL connection. Ack. Ppppt. Thanks to Chris, Crist, Aaron and Luigi. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3C6DA100.3080108>