On Wednesday 28 July 2004 15:53, Steve Bertrand wrote: > >> I figured so...what happens if you add 'keep-state' to rules 20000, > >> 20002 > >> and 20003? > > > > Nothing. > > BTW, here we have the problem: The initial SYN packet isn't matched by > > rule > > 11700 (setup keep-state). Setup means the SYN flag is set, right? > > AFAIK, setup means the SYN bit MUST be set. Try these rules: > > add 01900 deny log tcp from any to any in established > > add 2000 allow log all from any to any in via rl1 keep-state > add 2002 allow log all from any to any out via rl0 keep-state > > > So why > > is > > it not matched? If I remove the "setup" keyword to match all outgoing > > packets, the SYN/ACK from the server is still denied by rule 01900. > > I'll go over the ruleset again here and see if I can find a misplaced > 'out' or 'in'.
Now it is getting funny. I played around with the ruleset, adding and removing count log rules. Suddenly it worked. I removed all extra count log rules, and compared the resulting ruleset file with the backup I made before. Nothing changed! Was that a bug? _______________________________________________ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
