Date: Sat, 26 Feb 2000 10:50:49 +0100 (CET) From: Luigi Rizzo <luigi@info.iet.unipi.it> To: jsegovia@cnc.una.py Cc: freebsd-ipfw@FreeBSD.ORG Subject: Re: keep-state and fwd Message-ID: <200002260950.KAA17547@info.iet.unipi.it> In-Reply-To: <200002251834.OAA26064@alpha.cnc.una.py> from "jsegovia@cnc.una.py" at "Feb 25, 2000 02:35:29 pm"
next in thread | previous in thread | raw e-mail | index | archive | help
Hi, I am trying to figure out what is happening here. I think i am kind of close to understanding. The basic problem is that dynamic rules are bidirectional whereas 'fwd' rules are unidirectional. So if you write your code without keep-state you have something like 20 fwd ... tcp from ... to any 25 30 allow tcp from any to any and the return packets match rule 30. With keep-state, and the way you write your rules, you have packets in both direction match the 'fwd' rule, apparently resulting in an infinite loop. I am looking at a fix to make dynamic rules understand 'forward' (basically do the address rewrite in one direction, and behave as a 'pass' rule in the other one. I hope to fix this for the release of -current . cheers luigi -----------------------------------+------------------------------------- Luigi RIZZO, luigi@iet.unipi.it . Dip. di Ing. dell'Informazione http://www.iet.unipi.it/~luigi/ . Universita` di Pisa TEL/FAX: +39-050-568.533/522 . via Diotisalvi 2, 56126 PISA (Italy) Mobile +39-347-0373137 -----------------------------------+------------------------------------- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200002260950.KAA17547>