Hello everybody,

I upgraded to yesterday's -CURRENT and have made a few observations:

1) The natd does not work. This is known, but I have tracked it to its
interaction with libalias, which means that any program that uses
libalias functions is also affected (and indeed, ppp(8)'s -nat option
does not work either). If I downgrade the file src/sys/netinet/ip_fw.h
to the version from June 27, and recompile libalias and natd, things
will work.

2) and much more alarmingly: Although the new ipfw really seems to
process the ruleset faster, some rules appear to do nothing! I
have a "default-to-deny" setup, so theoretically this should mean that I
should be cut off from the net if the allow rules do not work. And
indeed, flushing all rules gives the expected behaviour. But as soon as
I load the ruleset file (which is the same as previously and then it
worked as expected) the fw becomes wide-open, the only rules that appear
to work are the divert for natd, and the allow rules. But the deny rules
do nothing, it seems that even the "catch-all" implicit deny rule at the
bottom does nothing. Am I going insane, or is this real?

Also, I have observed that when loading the rules from the ruleset file,
ipfw prints two lines for each, one with the expected rule number and
one with all zeros. I don't know if it's significant though.

It is like this:

00000 deny log  ip from any to any
03600 deny log  ip from any to any

This did not happen previously...


Szilveszter ADAM
Szombathely Hungary

To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-current" in the body of the message

Reply via email to