Re: Problems after IP change
On Wed, Jul 28, 2004 at 03:48:17PM +, Daniela wrote: On Wednesday 28 July 2004 14:49, Steve Bertrand wrote: Also, post the relevant ``natd'' line entries in your /etc/natd.conf file. natd.conf doesn't exist. Do you mean rc.conf? Here it is: natd_interface=rl0 natd_enable=YES But I didn't change anything here, and it always worked. Indeed, I did mean rc.conf...sorry ;o) Now would be a good time to post your fw ruleset. add 00300 divert 8668 ip from any to any add 01300 unreach port tcp from any to any 6699 add 01400 allow log all from any to any via lo0 add 01600 check-state add 01700 allow log logamount 1000 tcp from any to me 22 in setup keep-state add 01701 allow log logamount 1000 tcp from me 22 to any out I believe this is matching all your outgoing ssh connections, but not keeping state so the outgoing SYN packets get accepted, but the incoming SYN/ACK packets get rejected when they hit rule 1900 below. add 01702 allow log logamount 1000 tcp from any to me 21 in setup keep-state add 01703 allow log logamount 1000 tcp from me 21 to any out Same with ftp. Where those the only protocols that didn't work or did nothing work? add 01900 deny log tcp from any to any in established add 11700 allow tcp from any to any out setup keep-state add 11701 allow udp from 212.33.32.160 53 to any in recv rl0 add 11702 allow udp from any to 212.33.32.160 53 add 11703 allow udp from 212.33.55.5 53 to any in recv rl0 add 11704 allow udp from any to 212.33.55.5 53 add 11705 allow udp from 212.0.0.0/8 67 to 255.255.255.255 68 in recv rl0 add 11801 allow icmp from any to any icmptypes 3 add 11802 allow icmp from any to any icmptypes 4 add 11803 allow icmp from any to any icmptypes 8 out add 11804 allow icmp from any to any icmptypes 0 in add 11805 allow icmp from any to any icmptypes 9 out add 11806 allow log icmp from any to any icmptypes 11 in add 11807 allow log icmp from any to any icmptypes 11 out add 11900 allow icmp from me to 224.0.0.1 icmptypes 9 in via rl0 add 11901 allow icmp from 10.0.0.1 to 224.0.0.1 icmptypes 9 in via rl1 add 11902 allow all from me to 224.0.0.2/24 out via rl0 add 11903 allow all from 10.0.0.1 to 224.0.0.2/24 out via rl1 add 11904 allow udp from me 520 to 81.10.248.255 520 out via rl0 add 11905 allow udp from me 520 to 81.10.248.255 520 in via rl0 add 11906 allow udp from 10.0.0.1 520 to 10.255.255.255 520 in via rl1 add 11907 allow udp from 10.0.0.1 520 to 10.255.255.255 520 out via rl1 add 11908 allow udp from me 520 to 10.255.255.255 520 out via rl1 add 11909 allow udp from me 520 to 10.255.255.255 520 in via rl1 add 11910 allow ip from any to 224.0.0.9/24 in via rl0 add 2 allow all from 10.0.0.0/24 to any in recv rl1 add 20001 allow all from any to 10.0.0.0/24 out xmit rl1 keep-state add 20002 count log all from 10.0.0.0/24 to any add 20003 count log all from any to 10.0.0.0/24 add 65534 deny log ip from any to any ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] -- I sense much NT in you. NT leads to Bluescreen. Bluescreen leads to downtime. Downtime leads to suffering. NT is the path to the darkside. Powerful Unix is. Public Key: ftp://ftp.tallye.com/pub/lorenl_pubkey.asc Fingerprint: B3B9 D669 69C9 09EC 1BCD 835A FAF3 7A46 E4A3 280C pgp470QFkxKvN.pgp Description: PGP signature
Re: Problems after IP change
Hi all! I recently got a new IP on my outside interface, and I replaced the old IP with the new one in my IPFW ruleset, and restarted natd. Now everything was alright until my network clients (on the inside interface) started complaining that they can't connect to remote servers. Ping still works, but they can't fetch their mail or surf the net. It looks like something is wrong with my firewall, but I changed nothing but the old address. Are there other processes that need to be restarted? Did you actually change the IP on the interface itself? If not: edit /etc/rc.conf and change the IP/Netmask, then: # /etc/netstart Steve Regards, Daniela ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Problems after IP change
On Wednesday 28 July 2004 14:03, Steve Bertrand wrote: Hi all! I recently got a new IP on my outside interface, and I replaced the old IP with the new one in my IPFW ruleset, and restarted natd. Now everything was alright until my network clients (on the inside interface) started complaining that they can't connect to remote servers. Ping still works, but they can't fetch their mail or surf the net. It looks like something is wrong with my firewall, but I changed nothing but the old address. Are there other processes that need to be restarted? Did you actually change the IP on the interface itself? If not: edit /etc/rc.conf and change the IP/Netmask, then: # /etc/netstart Yes, the IP was changed. I ran /etc/netstart, but it didn't help. As I said, ping works as normal, and the packet sniffer shows normal TCP connections and there are even answers from the remote servers, so I really have no clue what could be wrong. I don't think it would do this with a wrong IP. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Problems after IP change
On Wednesday 28 July 2004 14:03, Steve Bertrand wrote: Hi all! I recently got a new IP on my outside interface, and I replaced the old IP with the new one in my IPFW ruleset, and restarted natd. Now everything was alright until my network clients (on the inside interface) started complaining that they can't connect to remote servers. Ping still works, but they can't fetch their mail or surf the net. It looks like something is wrong with my firewall, but I changed nothing but the old address. Are there other processes that need to be restarted? Did you actually change the IP on the interface itself? If not: edit /etc/rc.conf and change the IP/Netmask, then: # /etc/netstart Yes, the IP was changed. I ran /etc/netstart, but it didn't help. As I said, ping works as normal, and the packet sniffer shows normal TCP connections and there are even answers from the remote servers, so I really have no clue what could be wrong. I don't think it would do this with a wrong IP. Do you have an ``alias_address'' statement in your natd.conf file? Usually, you will specify the interface that natd operates on, but in some situations, some will specify an alias address instead. Check the file, and ensure that you are not aliasing the old address. Steve ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: Problems after IP change
-Original Message- From: Steve Bertrand [mailto:[EMAIL PROTECTED] Sent: Wednesday, July 28, 2004 7:22 AM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: Re: Problems after IP change On Wednesday 28 July 2004 14:03, Steve Bertrand wrote: Hi all! I recently got a new IP on my outside interface, and I replaced the old IP with the new one in my IPFW ruleset, and restarted natd. Now everything was alright until my network clients (on the inside interface) started complaining that they can't connect to remote servers. Ping still works, but they can't fetch their mail or surf the net. It looks like something is wrong with my firewall, but I changed nothing but the old address. Are there other processes that need to be restarted? Did you actually change the IP on the interface itself? If not: edit /etc/rc.conf and change the IP/Netmask, then: # /etc/netstart Yes, the IP was changed. I ran /etc/netstart, but it didn't help. As I said, ping works as normal, and the packet sniffer shows normal TCP connections and there are even answers from the remote servers, so I really have no clue what could be wrong. I don't think it would do this with a wrong IP. Do you have an ``alias_address'' statement in your natd.conf file? Usually, you will specify the interface that natd operates on, but in some situations, some will specify an alias address instead. Check the file, and ensure that you are not aliasing the old address. Steve Can you ping outside addresses from the inside clients? Is the FW box running dhcp? If not did you change the gateway on the inside clients? Just a thought. dave ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Problems after IP change
On Wednesday 28 July 2004 14:21, Steve Bertrand wrote: Did you actually change the IP on the interface itself? If not: edit /etc/rc.conf and change the IP/Netmask, then: # /etc/netstart Yes, the IP was changed. I ran /etc/netstart, but it didn't help. As I said, ping works as normal, and the packet sniffer shows normal TCP connections and there are even answers from the remote servers, so I really have no clue what could be wrong. I don't think it would do this with a wrong IP. Do you have an ``alias_address'' statement in your natd.conf file? I have no natd.conf file. At least I never touched it. But it always worked like a dream. BTW, natd is started with the command line natd -n rl0. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Problems after IP change
On Wednesday 28 July 2004 14:27, Hauan, David wrote: Did you actually change the IP on the interface itself? If not: edit /etc/rc.conf and change the IP/Netmask, then: # /etc/netstart Yes, the IP was changed. I ran /etc/netstart, but it didn't help. As I said, ping works as normal, and the packet sniffer shows normal TCP connections and there are even answers from the remote servers, so I really have no clue what could be wrong. I don't think it would do this with a wrong IP. Do you have an ``alias_address'' statement in your natd.conf file? Usually, you will specify the interface that natd operates on, but in some situations, some will specify an alias address instead. Check the file, and ensure that you are not aliasing the old address. Steve Can you ping outside addresses from the inside clients? Is the FW box running dhcp? If not did you change the gateway on the inside clients? Yes, I can ping everything and I can also open TCP connections from the clients. A SYN packet goes out and a SYN/ACK comes back, but I don't see any further packets. That's why I suspected my firewall, but I changed almost nothing in the configuration. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Problems after IP change
Do you have an ``alias_address'' statement in your natd.conf file? I have no natd.conf file. At least I never touched it. But it always worked like a dream. BTW, natd is started with the command line natd -n rl0. Try shutting down natd and load it with: # natd -a x.x.x.x where x.x.x.x == your_new_ip Does this help? Also, post the relevant ``natd'' line entries in your /etc/natd.conf file. Steve ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Problems after IP change
On Wednesday 28 July 2004 14:21, Steve Bertrand wrote: Did you actually change the IP on the interface itself? If not: edit /etc/rc.conf and change the IP/Netmask, then: # /etc/netstart Yes, the IP was changed. I ran /etc/netstart, but it didn't help. As I said, ping works as normal, and the packet sniffer shows normal TCP connections and there are even answers from the remote servers, so I really have no clue what could be wrong. I don't think it would do this with a wrong IP. Do you have an ``alias_address'' statement in your natd.conf file? I have no natd.conf file. At least I never touched it. But it always worked like a dream. BTW, natd is started with the command line natd -n rl0. Also, I forget if you said whether you actually reloaded your firewall rules or not. Steve ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Problems after IP change
On Wednesday 28 July 2004 14:36, Steve Bertrand wrote: Do you have an ``alias_address'' statement in your natd.conf file? I have no natd.conf file. At least I never touched it. But it always worked like a dream. BTW, natd is started with the command line natd -n rl0. Try shutting down natd and load it with: # natd -a x.x.x.x where x.x.x.x == your_new_ip Does this help? No, it's still the same. Also, post the relevant ``natd'' line entries in your /etc/natd.conf file. natd.conf doesn't exist. Do you mean rc.conf? Here it is: natd_interface=rl0 natd_enable=YES But I didn't change anything here, and it always worked. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Problems after IP change
On Wednesday 28 July 2004 14:36, Steve Bertrand wrote: Do you have an ``alias_address'' statement in your natd.conf file? I have no natd.conf file. At least I never touched it. But it always worked like a dream. BTW, natd is started with the command line natd -n rl0. Try shutting down natd and load it with: # natd -a x.x.x.x where x.x.x.x == your_new_ip Does this help? No, it's still the same. Also, post the relevant ``natd'' line entries in your /etc/natd.conf file. natd.conf doesn't exist. Do you mean rc.conf? Here it is: natd_interface=rl0 natd_enable=YES But I didn't change anything here, and it always worked. Indeed, I did mean rc.conf...sorry ;o) Now would be a good time to post your fw ruleset. Steve ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Problems after IP change
On Wednesday 28 July 2004 14:38, Steve Bertrand wrote: Do you have an ``alias_address'' statement in your natd.conf file? I have no natd.conf file. At least I never touched it. But it always worked like a dream. BTW, natd is started with the command line natd -n rl0. Also, I forget if you said whether you actually reloaded your firewall rules or not. Of course I reloaded it, and when I view a diff between the current and previous output of `ipfw l` there's just the address changed. Nothing else. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Problems after IP change
On Wednesday 28 July 2004 14:49, Steve Bertrand wrote: Also, post the relevant ``natd'' line entries in your /etc/natd.conf file. natd.conf doesn't exist. Do you mean rc.conf? Here it is: natd_interface=rl0 natd_enable=YES But I didn't change anything here, and it always worked. Indeed, I did mean rc.conf...sorry ;o) Now would be a good time to post your fw ruleset. add 00300 divert 8668 ip from any to any add 01300 unreach port tcp from any to any 6699 add 01400 allow log all from any to any via lo0 add 01600 check-state add 01700 allow log logamount 1000 tcp from any to me 22 in setup keep-state add 01701 allow log logamount 1000 tcp from me 22 to any out add 01702 allow log logamount 1000 tcp from any to me 21 in setup keep-state add 01703 allow log logamount 1000 tcp from me 21 to any out add 01900 deny log tcp from any to any in established add 11700 allow tcp from any to any out setup keep-state add 11701 allow udp from 212.33.32.160 53 to any in recv rl0 add 11702 allow udp from any to 212.33.32.160 53 add 11703 allow udp from 212.33.55.5 53 to any in recv rl0 add 11704 allow udp from any to 212.33.55.5 53 add 11705 allow udp from 212.0.0.0/8 67 to 255.255.255.255 68 in recv rl0 add 11801 allow icmp from any to any icmptypes 3 add 11802 allow icmp from any to any icmptypes 4 add 11803 allow icmp from any to any icmptypes 8 out add 11804 allow icmp from any to any icmptypes 0 in add 11805 allow icmp from any to any icmptypes 9 out add 11806 allow log icmp from any to any icmptypes 11 in add 11807 allow log icmp from any to any icmptypes 11 out add 11900 allow icmp from me to 224.0.0.1 icmptypes 9 in via rl0 add 11901 allow icmp from 10.0.0.1 to 224.0.0.1 icmptypes 9 in via rl1 add 11902 allow all from me to 224.0.0.2/24 out via rl0 add 11903 allow all from 10.0.0.1 to 224.0.0.2/24 out via rl1 add 11904 allow udp from me 520 to 81.10.248.255 520 out via rl0 add 11905 allow udp from me 520 to 81.10.248.255 520 in via rl0 add 11906 allow udp from 10.0.0.1 520 to 10.255.255.255 520 in via rl1 add 11907 allow udp from 10.0.0.1 520 to 10.255.255.255 520 out via rl1 add 11908 allow udp from me 520 to 10.255.255.255 520 out via rl1 add 11909 allow udp from me 520 to 10.255.255.255 520 in via rl1 add 11910 allow ip from any to 224.0.0.9/24 in via rl0 add 2 allow all from 10.0.0.0/24 to any in recv rl1 add 20001 allow all from any to 10.0.0.0/24 out xmit rl1 keep-state add 20002 count log all from 10.0.0.0/24 to any add 20003 count log all from any to 10.0.0.0/24 add 65534 deny log ip from any to any ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Problems after IP change
On Wednesday 28 July 2004 14:49, Steve Bertrand wrote: Also, post the relevant ``natd'' line entries in your /etc/natd.conf file. natd.conf doesn't exist. Do you mean rc.conf? Here it is: natd_interface=rl0 natd_enable=YES But I didn't change anything here, and it always worked. Indeed, I did mean rc.conf...sorry ;o) Now would be a good time to post your fw ruleset. add 00300 divert 8668 ip from any to any add 01300 unreach port tcp from any to any 6699 add 01400 allow log all from any to any via lo0 add 01600 check-state Well, I would hate to do this, but for testing purposes, add a rule (very briefly)... add 00300 divert 8668 ip from any to any add 01300 unreach port tcp from any to any 6699 add 01400 allow log all from any to any via lo0 add 1500 allow log logamount 1000 all from any to any and check to see if things are working. Your security log file may indicate where traffic is going whether it is or not. Also, I know you haven't changed anything, but what does the output from this command state?: # sysctl net.inet.ip.forwarding Steve add 01700 allow log logamount 1000 tcp from any to me 22 in setup keep-state add 01701 allow log logamount 1000 tcp from me 22 to any out add 01702 allow log logamount 1000 tcp from any to me 21 in setup keep-state add 01703 allow log logamount 1000 tcp from me 21 to any out add 01900 deny log tcp from any to any in established add 11700 allow tcp from any to any out setup keep-state add 11701 allow udp from 212.33.32.160 53 to any in recv rl0 add 11702 allow udp from any to 212.33.32.160 53 add 11703 allow udp from 212.33.55.5 53 to any in recv rl0 add 11704 allow udp from any to 212.33.55.5 53 add 11705 allow udp from 212.0.0.0/8 67 to 255.255.255.255 68 in recv rl0 add 11801 allow icmp from any to any icmptypes 3 add 11802 allow icmp from any to any icmptypes 4 add 11803 allow icmp from any to any icmptypes 8 out add 11804 allow icmp from any to any icmptypes 0 in add 11805 allow icmp from any to any icmptypes 9 out add 11806 allow log icmp from any to any icmptypes 11 in add 11807 allow log icmp from any to any icmptypes 11 out add 11900 allow icmp from me to 224.0.0.1 icmptypes 9 in via rl0 add 11901 allow icmp from 10.0.0.1 to 224.0.0.1 icmptypes 9 in via rl1 add 11902 allow all from me to 224.0.0.2/24 out via rl0 add 11903 allow all from 10.0.0.1 to 224.0.0.2/24 out via rl1 add 11904 allow udp from me 520 to 81.10.248.255 520 out via rl0 add 11905 allow udp from me 520 to 81.10.248.255 520 in via rl0 add 11906 allow udp from 10.0.0.1 520 to 10.255.255.255 520 in via rl1 add 11907 allow udp from 10.0.0.1 520 to 10.255.255.255 520 out via rl1 add 11908 allow udp from me 520 to 10.255.255.255 520 out via rl1 add 11909 allow udp from me 520 to 10.255.255.255 520 in via rl1 add 11910 allow ip from any to 224.0.0.9/24 in via rl0 add 2 allow all from 10.0.0.0/24 to any in recv rl1 add 20001 allow all from any to 10.0.0.0/24 out xmit rl1 keep-state add 20002 count log all from 10.0.0.0/24 to any add 20003 count log all from any to 10.0.0.0/24 add 65534 deny log ip from any to any ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Problems after IP change
On Wednesday 28 July 2004 15:06, Steve Bertrand wrote: On Wednesday 28 July 2004 14:49, Steve Bertrand wrote: Also, post the relevant ``natd'' line entries in your /etc/natd.conf file. natd.conf doesn't exist. Do you mean rc.conf? Here it is: natd_interface=rl0 natd_enable=YES But I didn't change anything here, and it always worked. Indeed, I did mean rc.conf...sorry ;o) Now would be a good time to post your fw ruleset. add 00300 divert 8668 ip from any to any add 01300 unreach port tcp from any to any 6699 add 01400 allow log all from any to any via lo0 add 01600 check-state Well, I would hate to do this, but for testing purposes, add a rule (very briefly)... add 00300 divert 8668 ip from any to any add 01300 unreach port tcp from any to any 6699 add 01400 allow log all from any to any via lo0 add 1500 allow log logamount 1000 all from any to any and check to see if things are working. Your security log file may indicate where traffic is going whether it is or not. Yes, it works, but of course I can't leave this rule in all the time. The SYN/ACK packet that comes back from the remote server is denied by rule 01900. But it should be allowed by the check-state rule. Also, I know you haven't changed anything, but what does the output from this command state?: # sysctl net.inet.ip.forwarding It is set to 1. I changed this a long time ago. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Problems after IP change
On Wednesday 28 July 2004 15:06, Steve Bertrand wrote: On Wednesday 28 July 2004 14:49, Steve Bertrand wrote: Also, post the relevant ``natd'' line entries in your /etc/natd.conf file. natd.conf doesn't exist. Do you mean rc.conf? Here it is: natd_interface=rl0 natd_enable=YES But I didn't change anything here, and it always worked. Indeed, I did mean rc.conf...sorry ;o) Now would be a good time to post your fw ruleset. add 00300 divert 8668 ip from any to any add 01300 unreach port tcp from any to any 6699 add 01400 allow log all from any to any via lo0 add 01600 check-state Well, I would hate to do this, but for testing purposes, add a rule (very briefly)... add 00300 divert 8668 ip from any to any add 01300 unreach port tcp from any to any 6699 add 01400 allow log all from any to any via lo0 add 1500 allow log logamount 1000 all from any to any and check to see if things are working. Your security log file may indicate where traffic is going whether it is or not. Yes, it works, but of course I can't leave this rule in all the time. The SYN/ACK packet that comes back from the remote server is denied by rule 01900. But it should be allowed by the check-state rule. Also, I know you haven't changed anything, but what does the output from this command state?: # sysctl net.inet.ip.forwarding It is set to 1. I changed this a long time ago. I figured so...what happens if you add 'keep-state' to rules 2, 20002 and 20003? Steve ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Problems after IP change
On Wednesday 28 July 2004 15:23, Steve Bertrand wrote: Yes, it works, but of course I can't leave this rule in all the time. The SYN/ACK packet that comes back from the remote server is denied by rule 01900. But it should be allowed by the check-state rule. Also, I know you haven't changed anything, but what does the output from this command state?: # sysctl net.inet.ip.forwarding It is set to 1. I changed this a long time ago. I figured so...what happens if you add 'keep-state' to rules 2, 20002 and 20003? Nothing. BTW, here we have the problem: The initial SYN packet isn't matched by rule 11700 (setup keep-state). Setup means the SYN flag is set, right? So why is it not matched? If I remove the setup keyword to match all outgoing packets, the SYN/ACK from the server is still denied by rule 01900. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Problems after IP change
On Wednesday 28 July 2004 15:23, Steve Bertrand wrote: Yes, it works, but of course I can't leave this rule in all the time. The SYN/ACK packet that comes back from the remote server is denied by rule 01900. But it should be allowed by the check-state rule. Also, I know you haven't changed anything, but what does the output from this command state?: # sysctl net.inet.ip.forwarding It is set to 1. I changed this a long time ago. I figured so...what happens if you add 'keep-state' to rules 2, 20002 and 20003? Nothing. BTW, here we have the problem: The initial SYN packet isn't matched by rule 11700 (setup keep-state). Setup means the SYN flag is set, right? AFAIK, setup means the SYN bit MUST be set. Try these rules: add 01900 deny log tcp from any to any in established add 2000 allow log all from any to any in via rl1 keep-state add 2002 allow log all from any to any out via rl0 keep-state So why is it not matched? If I remove the setup keyword to match all outgoing packets, the SYN/ACK from the server is still denied by rule 01900. I'll go over the ruleset again here and see if I can find a misplaced 'out' or 'in'. Steve ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Problems after IP change
On Wednesday 28 July 2004 15:53, Steve Bertrand wrote: I figured so...what happens if you add 'keep-state' to rules 2, 20002 and 20003? Nothing. BTW, here we have the problem: The initial SYN packet isn't matched by rule 11700 (setup keep-state). Setup means the SYN flag is set, right? AFAIK, setup means the SYN bit MUST be set. Try these rules: add 01900 deny log tcp from any to any in established add 2000 allow log all from any to any in via rl1 keep-state add 2002 allow log all from any to any out via rl0 keep-state So why is it not matched? If I remove the setup keyword to match all outgoing packets, the SYN/ACK from the server is still denied by rule 01900. I'll go over the ruleset again here and see if I can find a misplaced 'out' or 'in'. Now it is getting funny. I played around with the ruleset, adding and removing count log rules. Suddenly it worked. I removed all extra count log rules, and compared the resulting ruleset file with the backup I made before. Nothing changed! Was that a bug? ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Problems after IP change
On Wednesday 28 July 2004 15:53, Steve Bertrand wrote: I figured so...what happens if you add 'keep-state' to rules 2, 20002 and 20003? Nothing. BTW, here we have the problem: The initial SYN packet isn't matched by rule 11700 (setup keep-state). Setup means the SYN flag is set, right? AFAIK, setup means the SYN bit MUST be set. Try these rules: add 01900 deny log tcp from any to any in established add 2000 allow log all from any to any in via rl1 keep-state add 2002 allow log all from any to any out via rl0 keep-state So why is it not matched? If I remove the setup keyword to match all outgoing packets, the SYN/ACK from the server is still denied by rule 01900. I'll go over the ruleset again here and see if I can find a misplaced 'out' or 'in'. Now it is getting funny. I played around with the ruleset, adding and removing count log rules. Suddenly it worked. I removed all extra count log rules, and compared the resulting ruleset file with the backup I made before. Nothing changed! Was that a bug? I'd like to see the difference. Could you post this output? (The contents of rules.patch). # diff orig_rules_file new_rules_file rules.patch Steve ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Problems after IP change
On Wednesday 28 July 2004 16:18, Steve Bertrand wrote: On Wednesday 28 July 2004 15:53, Steve Bertrand wrote: I figured so...what happens if you add 'keep-state' to rules 2, 20002 and 20003? Nothing. BTW, here we have the problem: The initial SYN packet isn't matched by rule 11700 (setup keep-state). Setup means the SYN flag is set, right? AFAIK, setup means the SYN bit MUST be set. Try these rules: add 01900 deny log tcp from any to any in established add 2000 allow log all from any to any in via rl1 keep-state add 2002 allow log all from any to any out via rl0 keep-state So why is it not matched? If I remove the setup keyword to match all outgoing packets, the SYN/ACK from the server is still denied by rule 01900. I'll go over the ruleset again here and see if I can find a misplaced 'out' or 'in'. Now it is getting funny. I played around with the ruleset, adding and removing count log rules. Suddenly it worked. I removed all extra count log rules, and compared the resulting ruleset file with the backup I made before. Nothing changed! Was that a bug? I'd like to see the difference. Could you post this output? (The contents of rules.patch). # diff orig_rules_file new_rules_file rules.patch Nothing! That produces an empty file. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Problems after IP change
On Wednesday 28 July 2004 16:18, Steve Bertrand wrote: On Wednesday 28 July 2004 15:53, Steve Bertrand wrote: I figured so...what happens if you add 'keep-state' to rules 2, 20002 and 20003? Nothing. BTW, here we have the problem: The initial SYN packet isn't matched by rule 11700 (setup keep-state). Setup means the SYN flag is set, right? AFAIK, setup means the SYN bit MUST be set. Try these rules: add 01900 deny log tcp from any to any in established add 2000 allow log all from any to any in via rl1 keep-state add 2002 allow log all from any to any out via rl0 keep-state So why is it not matched? If I remove the setup keyword to match all outgoing packets, the SYN/ACK from the server is still denied by rule 01900. I'll go over the ruleset again here and see if I can find a misplaced 'out' or 'in'. Now it is getting funny. I played around with the ruleset, adding and removing count log rules. Suddenly it worked. I removed all extra count log rules, and compared the resulting ruleset file with the backup I made before. Nothing changed! Was that a bug? I'd like to see the difference. Could you post this output? (The contents of rules.patch). # diff orig_rules_file new_rules_file rules.patch Nothing! That produces an empty file. Well, at least it's working. I have no idea what the problem could of been. :o) Steve ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
