Date: Thu, 14 Feb 2002 13:59:36 -0800 From: Luigi Rizzo <rizzo@icir.org> To: Michael Sierchio <kudzu@tenebras.com> Cc: freebsd-ipfw@FreeBSD.ORG, freebsd-net@FreeBSD.ORG Subject: Re: Bug in stateful code? Message-ID: <20020214135936.A59207@iguana.icir.org> In-Reply-To: <3C6C2180.3020704@tenebras.com> References: <3C6BE90D.3020108@tenebras.com> <20020214093647.A57238@iguana.icir.org> <3C6C2180.3020704@tenebras.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, Feb 14, 2002 at 12:43:44PM -0800, Michael Sierchio wrote: > >..., i do not feel like spending > >an hour or two trying to infer what is on your [some static rules], > >and i'll happily leave you the job to explain where the bug (which > >means reconstruct the flow of packets in and out of the ipfw and > >show which one is dealt in the wrong way). > > I'd be happy to share the static rules -- and AFAIK I did give a hint > as to what the problem is. What kind of evidence do you want, in > particular? > I have a tcpdump that shows the packet exchange, shows SYN from each > host, and demonstrates that the dynamic rule is in the wrong state, > using the wrong timer. This could easily have something to do with the only reason why the rule can be "in the wrong state" as you say, is that the packet you are waiting for never reaches the rule. Whihc in turn boils down to a misconfiguration of the ruleset. A tcpdump alone, even taken on both sides, is not enough because the packet goes like this: input interface ip_input() ipfw up to the natd rule natd rest of ipfw ruleset ip_output() (if gateway is enabled) ipfw up to the natd rule natd rest of ipfw ruleset where is it dropped, you ight probably figure out with a bit of experimenting and lookinga at ipfw counters and possibly running natd in verbose mode. luigi To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020214135936.A59207>