From owner-freebsd-bugs  Tue Apr  9  0: 0:48 2002
Delivered-To: freebsd-bugs@hub.freebsd.org
Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21])
	by hub.freebsd.org (Postfix) with ESMTP id 0214B37B428
	for <freebsd-bugs@hub.freebsd.org>; Tue,  9 Apr 2002 00:00:06 -0700 (PDT)
Received: (from gnats@localhost)
	by freefall.freebsd.org (8.11.6/8.11.6) id g39705l05540;
	Tue, 9 Apr 2002 00:00:05 -0700 (PDT)
	(envelope-from gnats)
Date: Tue, 9 Apr 2002 00:00:05 -0700 (PDT)
Message-Id: <200204090700.g39705l05540@freefall.freebsd.org>
To: freebsd-bugs@FreeBSD.org
Cc: 
From: "Crist J. Clark" <cjc@FreeBSD.org>
Subject: Re: kern/36895: natd does not function correctly when ipfw rules use check-state/keep-state
Reply-To: "Crist J. Clark" <cjc@FreeBSD.org>
Sender: owner-freebsd-bugs@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-bugs.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-bugs>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-bugs>
X-Loop: FreeBSD.org

The following reply was made to PR kern/36895; it has been noted by GNATS.

From: "Crist J. Clark" <cjc@FreeBSD.org>
To: Joe Barbish <barbish@a1poweruser.com>
Cc: freebsd-gnats-submit@FreeBSD.org
Subject: Re: kern/36895: natd does not function correctly when ipfw rules use check-state/keep-state
Date: Mon, 8 Apr 2002 23:59:16 -0700

 On Mon, Apr 08, 2002 at 12:37:48PM -0700, Joe Barbish wrote:
 [snip]
 > I have an ipfw firewall rule set that exclusively uses the advaniced
 > statefull keep-state option. Rule set functions correctly (ie: dynamic
 > rules get build) when I use the nat feature of user ppp.
 > 
 > When I compile the ipdivert option
 > into the kernel, enable the divert options in rc.conf, and add the
 > divert rule to the ipfw rules, my ipfw firewall stops working. All the packets get rejected by the default deny everything rule at the end of
 > the rule set. If I use stateless and simpile stateful rules instead of
 > advaniced statefull rules then the divert rule works ok.
 > 
 > Acts like the divert function packet handoff to natd has a problem when
 > the new keep-state option is used.     
 > >How-To-Repeat:
 >       Build your own keep-state rule set and test.
 
 They work fine for me. Your ruleset, rc.conf(5), ifconfig(8), and
 'grep -i ipfw /var/run/dmesg.boot' please?
 -- 
 Crist J. Clark                     |     cjclark@alum.mit.edu
                                    |     cjclark@jhu.edu
 http://people.freebsd.org/~cjc/    |     cjc@freebsd.org

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message