> On Wednesday 28 July 2004 15:53, Steve Bertrand wrote: >> >> I figured so...what happens if you add 'keep-state' to rules 20000, >> >> 20002 >> >> and 20003? >> > >> > Nothing. >> > BTW, here we have the problem: The initial SYN packet isn't matched by >> > rule >> > 11700 (setup keep-state). Setup means the SYN flag is set, right? >> >> AFAIK, setup means the SYN bit MUST be set. Try these rules: >> > add 01900 deny log tcp from any to any in established >> >> add 2000 allow log all from any to any in via rl1 keep-state >> add 2002 allow log all from any to any out via rl0 keep-state >> >> > So why >> > is >> > it not matched? If I remove the "setup" keyword to match all outgoing >> > packets, the SYN/ACK from the server is still denied by rule 01900. >> >> I'll go over the ruleset again here and see if I can find a misplaced >> 'out' or 'in'. > > Now it is getting funny. I played around with the ruleset, adding and > removing > count log rules. Suddenly it worked. I removed all extra count log rules, > and > compared the resulting ruleset file with the backup I made before. Nothing > changed! Was that a bug?
I'd like to see the difference. Could you post this output? (The contents of rules.patch). # diff orig_rules_file new_rules_file > rules.patch Steve > > _______________________________________________ > [EMAIL PROTECTED] mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to > "[EMAIL PROTECTED]" > _______________________________________________ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"