From owner-freebsd-ipfw Mon Jan 17 17:48:50 2000 Delivered-To: freebsd-ipfw@freebsd.org Received: from cc942873-a.ewndsr1.nj.home.com (cc942873-a.ewndsr1.nj.home.com [24.2.89.207]) by hub.freebsd.org (Postfix) with ESMTP id 786F014D2D for ; Mon, 17 Jan 2000 17:48:48 -0800 (PST) (envelope-from cjc@cc942873-a.ewndsr1.nj.home.com) Received: (from cjc@localhost) by cc942873-a.ewndsr1.nj.home.com (8.9.3/8.9.3) id UAA63707; Mon, 17 Jan 2000 20:52:43 -0500 (EST) (envelope-from cjc) Date: Mon, 17 Jan 2000 20:52:43 -0500 From: "Crist J. Clark" To: Richard Martin Cc: freebsd-ipfw@FreeBSD.ORG Subject: Re: loss of setup option in ipfw Message-ID: <20000117205243.A63571@cc942873-a.ewndsr1.nj.home.com> References: <3882608D.E77903EE@origen.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: <3882608D.E77903EE@origen.com>; from dmartin@origen.com on Sun, Jan 16, 2000 at 06:21:33PM -0600 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Sun, Jan 16, 2000 at 06:21:33PM -0600, Richard Martin wrote: > I am setting up a new server with ipfw packet filtering and I have a couple of > questions about some quirks. > > First, I cannot now use the 'setup' option for TCP packets. Whether the line > is in the script or entered at the command line, if it has 'setup' in the > option position, the rule fails. And the error message is...? > I have added a few ports since I first set up the firewall - Tripwire, LSOF, a > few others- and somewhere along the way, something seems to have affected > ipfw, because it was working OK before. Now when the script runs, even at > reboot, the firewall lines with 'setup' at the end fail. A TCP rule with setup > entered at the command line fails, but removing 'setup' allows it to be added > to the chain. And command lines and the error messages are...? > ************ > > Second, I have noticed that replies packets coming our of our LAN (like ftp > data) behind the firewall are addressed back to the internal LAN IPs. This is > odd: other NAT/masquerading systems I have used have the replies come back to > the external IP and a table is kept for replies to rout the packets back to > the right address. > > Do I have something misconfigured. or is this just the way NATD works in > F'BSD? The packets with addresses of your private address-space are leaking out onto the net? That should not be happening. How is natd configured and how is your network setup? What are your firewall rules? -- Crist J. Clark cjclark@home.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message