On Wednesday 28 July 2004 15:06, Steve Bertrand wrote:
> > On Wednesday 28 July 2004 14:49, Steve Bertrand wrote:
> >> >> Also, post the relevant ``natd'' line entries in your /etc/natd.conf
> >> >> file.
> >> >
> >> > natd.conf doesn't exist. Do you mean rc.conf? Here it is:
> >> > natd_interface="rl0"
> >> > natd_enable="YES"
> >> >
> >> > But I didn't change anything here, and it always worked.
> >>
> >> Indeed, I did mean rc.conf...sorry ;o)
> >>
> >> Now would be a good time to post your fw ruleset.
> >
> > add 00300 divert 8668 ip from any to any
> > add 01300 unreach port tcp from any to any 6699
> > add 01400 allow log all from any to any via lo0
> > add 01600 check-state
>
> Well, I would hate to do this, but for testing purposes, add a rule (very
> briefly)...
>
> > add 00300 divert 8668 ip from any to any
> > add 01300 unreach port tcp from any to any 6699
> > add 01400 allow log all from any to any via lo0
>
> add 1500 allow log logamount 1000 all from any to any
>
> and check to see if things are working. Your security log file may
> indicate where traffic is going whether it is or not.

Yes, it works, but of course I can't leave this rule in all the time.
The SYN/ACK packet that comes back from the remote server is denied by rule 
01900. But it should be allowed by the check-state rule.

> Also, I know you haven't changed anything, but what does the output from
> this command state?:
>
> # sysctl net.inet.ip.forwarding

It is set to 1. I changed this a long time ago.

_______________________________________________
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Reply via email to