Darren, thanks for your response.
[EMAIL PROTECTED] wrote:
...
Refer to ipstat display below.
The packets are blocked as described above with or w/o statements 46,
47, 48. Statements 40-48 were my
attempt to say, "Pass in ANY packet from these trusted hosts,
regardless of the flag being set."
...
@46 pass in quick proto tcp from 123.456.70.0/26 to any flags
FSRPAU/FSRPAU keep state keep frags
@47 pass in quick proto tcp from 123.456.70.64/27 to any flags
FSRPAU/FSRPAU keep state keep frags
@48 pass in quick proto tcp from 123.456.70.96/28 to any flags
FSRPAU/FSRPAU keep state keep frags
What you have said is match only packets with all of the flags
FIN, SYN, RST, PSH, ACK and URG set.
Or in other words, those rules will never match a packet :)
Oh, I see. Thanks for correcting my inverted logic.
To match all packets, regardless of flags, do not specify the "flags
X/Y" in the rule.
Statements 46, 47, 48 were an attempt (though wrong) to address
the same test scenario where the block occurred exactly as described
(... tcp ... -R IN) with statements 40, 42, 44 w/o "flags X/Y" in the
rules:
@40 pass in quick proto tcp from 123.456.70.0/26 to any keep state keep
frags
@42 pass in quick proto tcp from 123.456.70.64/27 to any keep state
keep frags
@44 pass in quick proto tcp from 123.456.70.96/28 to any keep state
keep frags
Also, previous tests have resulted in "... tcp ... -AF IN" blocks
occurring.
Again, I never want my trusted hosts to be blocked from each other for
any reason unless I explicitly set a rule to do so. How do I
accomplish this?
Charles
________________________________________________________________________
Check Out the new free AIM(R) Mail -- Unlimited storage and
industry-leading spam and email virus protection.
