From owner-freebsd-net Sat Apr 6 0: 4:38 2002 Delivered-To: freebsd-net@freebsd.org Received: from mx1.dev.itouchnet.net (devco.net [196.15.188.2]) by hub.freebsd.org (Postfix) with ESMTP id 08D3D37B404 for ; Sat, 6 Apr 2002 00:04:34 -0800 (PST) Received: from nobody by mx1.dev.itouchnet.net with scanned_ok (Exim 3.33 #2) id 16tlFl-000KP8-00 for freebsd-net@freebsd.org; Sat, 06 Apr 2002 10:08:53 +0200 Received: from shell.devco.net ([196.15.188.7]) by mx1.dev.itouchnet.net with esmtp (Exim 3.33 #2) id 16tlFh-000KP1-00 for freebsd-net@freebsd.org; Sat, 06 Apr 2002 10:08:49 +0200 Received: from bvi by shell.devco.net with local (Exim 3.33 #4) id 16tlFt-000JoX-00 for freebsd-net@freebsd.org; Sat, 06 Apr 2002 10:09:01 +0200 Date: Sat, 6 Apr 2002 10:09:01 +0200 From: Barry Irwin To: freebsd-net@freebsd.org Subject: Packets lost when forwarding disabled Message-ID: <20020406100901.C62987@itouchlabs.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i X-Checked: This message has been scanned for any virusses and unauthorized attachments. X-iScan-ID: 78434-1018080531-02178@mx1.dev.itouchnet.net version $Name: REL_2_0_2 $ Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi All After mucking around on a firewall problem on the other side of the world yesterday, the problem was that net.inet.ip.forwarding was set to off * the gateway_enable had been mangled in rc.conf). Packets were being received by the firewall kernel, and happily passed through the firewall ruleset as expected, they then dissapeared. I thought it would be useful to have a sysctl knob which would allow one to cause these packets to be logged. From a security pov it would be interesting to know if people are trying to use you as a gateway? Now for the real question, does somethign like this already exist, and am I going to be re-inventing the whell if I add it to the kernel. I s the another way of doing this? Thanks Barry -- Barry Irwin bvi@itouchlabs.com +27214875177 Systems Administrator: Networks And Security Itouch Labs http://www.itouchlabs.com South Africa To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message