> On Wednesday 28 July 2004 15:23, Steve Bertrand wrote: >> > Yes, it works, but of course I can't leave this rule in all the time. >> >> The SYN/ACK packet that comes back from the remote server is denied by >> rule >> >> > 01900. But it should be allowed by the check-state rule. >> > >> >> Also, I know you haven't changed anything, but what does the output >> >> from >> >> >> this command state?: >> >> # sysctl net.inet.ip.forwarding >> > >> > It is set to 1. I changed this a long time ago. >> >> I figured so...what happens if you add 'keep-state' to rules 20000, >> 20002 >> and 20003? > > Nothing. > BTW, here we have the problem: The initial SYN packet isn't matched by > rule > 11700 (setup keep-state). Setup means the SYN flag is set, right?
AFAIK, setup means the SYN bit MUST be set. Try these rules: > add 01900 deny log tcp from any to any in established add 2000 allow log all from any to any in via rl1 keep-state add 2002 allow log all from any to any out via rl0 keep-state > So why > is > it not matched? If I remove the "setup" keyword to match all outgoing > packets, the SYN/ACK from the server is still denied by rule 01900. I'll go over the ruleset again here and see if I can find a misplaced 'out' or 'in'. Steve > > _______________________________________________ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
