" From: "Michael Lim(vpn)" <[EMAIL PROTECTED]> " " " > # ipfstat -io " > pass out on ipdptp0 proto tcp/udp from 216.41.37.11/32 to any keep state " > pass out on ipdptp0 proto icmp from 216.41.37.11/32 to any keep state " > block in log quick on ipdptp0 proto icmp from any to 216.41.37.11/32 " > block in log quick from any to any with ipopt " > block in log quick proto tcp from any to any with short " > block in on ipdptp0 from any to any " > pass in on ipdptp0 proto tcp from 208.218.130.0/27 to 216.41.37.11/32 port = 25 flags S/FSRPAU keep state keep frags " > pass in on ipdptp0 proto tcp from any to 216.41.37.11/32 port > 32767 flags S/FSRPAU keep state keep frags head 100 " > block in from 0.0.0.0/8 to any group 100 " > block in from 10.0.0.0/8 to any group 100 " > block in from 127.0.0.0/8 to any group 100 " > block in from 169.154.0.0/16 to any group 100 " > block in from 172.16.0.0/12 to any group 100 " > block in from 192.0.2.0/24 to any group 100 " > block in from 192.168.0.0/16 to any group 100 " > block in from 216.41.37.11/32 to any group 100 " > block in from 224.0.0.0/3 to any group 100 " > " > " http://coombs.anu.edu.au/~avalon/ipfil-flow.html " " From this diagram, it appears that packet filter rules to operate on " outbound packets before NAT and inbound packets after NAT.
hmmm... trying to get my head around this. sounds like natted addrs would need a separate set of filter rules, since they go through the filters before natting. i didn't realize this before. " As your firewall is set to default pass, the outbound packets didn't " match any of your rules but were passed without maintaining any " state information and the inbound packets wouldn't have an existing " entry to match. " " I would add a rule which would pass outbound packets from your " internal system to any. don't the first two rules above do that? [i guess they don't] " When snooping for the traffic on the outside, was the outbound " traffic properly NAT'ed? you mean snooping the external if? does snoop report inside or outside the nat? it's showing the real inside ip of the notebook. it also shows only the replies from outside, not the outgoing packets, but that may be my options to it. " Additionally, the lack of active sessions or host mappings from " ipnat -slv seems odd. that may have been my fault. i mucked about with the ipnat rules a bit before doing the dump, and i may have inadvertently flushed them after my last experiments. i could swear i saw some at one point. -- just added two rules to pass out from 10.0.0.0/8 and that seems to do the trick. grisoft antivirus update doesn't seem to work though; complains that the file can't be found on the remote server. do i need a pass in rule for this, or a [ftp?] proxy? ftp doesn't work either. could this be it? what's the solution, without shutting ftp off from my [firewall] sun? the light is slowly dawning... in the future, i'll move firewalling to a separate machine, and i think this will simplify my life considerably. ________________________________________________________________________ Andrew Hay the genius nature internet rambler is to see what all have seen [EMAIL PROTECTED] and think what none thought
