I just tracked down, that having the line: add divert natd all from any to any via tun0
No longer works (used to work with ipfw) man page says this: According to man, packets diverted to userland and reinserted lose their attributes. The following rules work: allow icmp from any to any allow udp from any to 161.142.1.17 53 via tun0 allow udp from 161.142.1.17 53 to any via tun0 But stateful rules like below don't: add allow tcp from any to any out xmit tun0 setup add allow tcp from any to any via tun0 established add allow udp from any to 61.6.32.62 123 keep-state So, does this mean that a tcp packet goes out sets up a dynamic rule before going out via natd. But coming in.. it is diverted via natd, loses some info about state, and doesn't get passed through any rules? For the tcp dynamic rules, 10 packets get diverted by natd rule 5 packets match the tcp rule via tun0 setup 0 packets are denied by the last deny all rule. What happened to the packets that are supposed to be coming in via the setup rule? What's the proper way to do natd with ipfw2? So far, it's the only problem with my recent testing of current :(. As a relative newbie, updating from src was painless. So it looks like it will be a pretty smooth upgrade for FreeBSD 5.0. It's amazing how well the FreeBSD team does things. Any help much appreciated as always. -- Khairil Yusof <[EMAIL PROTECTED]>
signature.asc
Description: This is a digitally signed message part