From owner-freebsd-net  Fri Feb 15 16: 0: 7 2002
Delivered-To: freebsd-net@freebsd.org
Received: from laptop.tenebras.com (laptop.tenebras.com [66.92.188.18])
	by hub.freebsd.org (Postfix) with SMTP id 2741E37B404
	for <freebsd-net@freebsd.org>; Fri, 15 Feb 2002 16:00:02 -0800 (PST)
Received: (qmail 4816 invoked from network); 16 Feb 2002 00:00:00 -0000
Received: from sapphire.tenebras.com (HELO tenebras.com) (66.92.188.241)
  by 0 with SMTP; 16 Feb 2002 00:00:00 -0000
Message-ID: <3C6DA100.3080108@tenebras.com>
Date: Fri, 15 Feb 2002 16:00:00 -0800
From: Michael Sierchio <kudzu@tenebras.com>
User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:0.9.7) Gecko/20020131
X-Accept-Language: en-us
MIME-Version: 1.0
To: "Aaron D. Gifford" <agifford@infowest.com>
Cc: freebsd-net@freebsd.org
Subject: Re: Bug in stateful code?
References: <20020215225647.DBAB521CE8@ns1.infowest.com>
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-net@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-net.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-net>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-net>
X-Loop: FreeBSD.org

Aaron D. Gifford wrote:


> When it hits check-state, while it DOES match the "X.Y.Z.23 1549<-> X.Y.Z.44 
> 22" dynamic rule in principal, it FAILS to match because the dynamic rule is 
> expecting to see a SYN-ACK response from the remote host FIRST (remember, the 
> SYN-ACK never matched this particular dynamic rule).  Thus this dynamic rule 
> STILL sits, expecting SYN-ACK.
> 
> Since no further rules match, if you default to deny, your ACK packet gets 
> dropped/denied.
> 
> Is this the behavior you are seeing?


The packet is never dropped, it's just that -- as Crist previously
pointed out -- it matches an earlier rule, so it never changes
the state of the dynamic rule in question.  It's sometimes useful to
use 'add count' rules before and after 'divert natd' to see what's
happening.


> If anyone is interested, I'd be happy to post my ipfw rules I use at home.  I 
> have a single Internet visible IP and a few hosts translated sitting behind 
> it on a broadband connection.


I elected to try Chris Dillon's suggestion, since I have two IPs on my external
interface,  and can dedicate one to NAT and use stateful rules on the
other -- with the minor complication that this host is running both
tinydns and dnscache (the latter for my own hosts), and so I still
need a few allow rules before 'divert natd' -- all of which seem
straightforward now.

All of this mess was the result of changing ISPs and having, instead
of a nice little /29 subnet,  discontiguous addresses on a bridged
SDSL connection.  Ack. Ppppt.

Thanks to Chris, Crist, Aaron and Luigi.


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-net" in the body of the message