From owner-freebsd-stable Thu Mar 22 7:46:30 2001 Delivered-To: freebsd-stable@freebsd.org Received: from mailgate.abacus.co.uk (mailgate.abacus.co.uk [194.130.48.21]) by hub.freebsd.org (Postfix) with ESMTP id 03CF337B718 for ; Thu, 22 Mar 2001 07:46:18 -0800 (PST) (envelope-from antony@abacus.co.uk) Received: from abacus.co.uk (pcantony.bl.abacus.co.uk [194.130.48.111]) by mailgate.abacus.co.uk (8.9.3/8.9.3) with ESMTP id PAA14948; Thu, 22 Mar 2001 15:44:40 GMT Message-ID: <3ABA1E3C.B3010B12@abacus.co.uk> Date: Thu, 22 Mar 2001 15:46:04 +0000 From: Antony T Curtis Organization: Abacus Polar PLC (UK) X-Mailer: Mozilla 4.76 [en] (X11; U; FreeBSD 4.1.1-STABLE i386) X-Accept-Language: en MIME-Version: 1.0 To: abgoeree@uwnet.nl Cc: stable@FreeBSD.ORG Subject: Re: ipfw stateful filtering References: <20010322164215.A20386@mandark.attica.home> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-stable@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Andre Goeree wrote: > > Hello, > > I'm experimenting a little with stateful filtering. > Somehow it doesn't work like i expect; output of "ipfw show": > > 00100 0 0 check-state > 00200 2874 690508 allow ip from any to any via lo0 > [snip address checking rules] > 02100 0 0 deny tcp from any to any via tun* established > 02200 890 308516 allow tcp from any 4000-5000 to any keep-state out xmit tun* setup > [snip local network rules] > ## Dynamic rules: > 02200 889 308472 (T 0, # 176) ty 0 tcp, XXX.XXX.XXX.XXX 4025 <-> XXX.XXX.XXX.XXX 110 > > It appears that the check-state rule never matches.. > Am i overlooking something? Do you have a divert somewhere in-between to natd? I think you'd need a check-state after that. > --Andre. > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-stable" in the body of the message -- ANTONY T CURTIS Tel: +44 (1635) 36222 Abacus Polar Holdings Ltd Fax: +44 (1635) 38670 > BOO! We changed Coke again! BLEAH! BLEAH! To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message