On Wed, Jul 28, 2004 at 03:48:17PM +0000, Daniela wrote: > On Wednesday 28 July 2004 14:49, Steve Bertrand wrote: > > >> Also, post the relevant ``natd'' line entries in your /etc/natd.conf > > >> file. > > > > > > natd.conf doesn't exist. Do you mean rc.conf? Here it is: > > > natd_interface="rl0" > > > natd_enable="YES" > > > > > > But I didn't change anything here, and it always worked. > > > > Indeed, I did mean rc.conf...sorry ;o) > > > > Now would be a good time to post your fw ruleset. > > add 00300 divert 8668 ip from any to any > add 01300 unreach port tcp from any to any 6699 > add 01400 allow log all from any to any via lo0 > add 01600 check-state > > add 01700 allow log logamount 1000 tcp from any to me 22 in setup keep-state > add 01701 allow log logamount 1000 tcp from me 22 to any out I believe this is matching all your outgoing ssh connections, but not keeping state so the outgoing SYN packets get accepted, but the incoming SYN/ACK packets get rejected when they hit rule 1900 below.
> add 01702 allow log logamount 1000 tcp from any to me 21 in setup keep-state > add 01703 allow log logamount 1000 tcp from me 21 to any out Same with ftp. Where those the only protocols that didn't work or did nothing work? > > add 01900 deny log tcp from any to any in established > > add 11700 allow tcp from any to any out setup keep-state > add 11701 allow udp from 212.33.32.160 53 to any in recv rl0 > add 11702 allow udp from any to 212.33.32.160 53 > add 11703 allow udp from 212.33.55.5 53 to any in recv rl0 > add 11704 allow udp from any to 212.33.55.5 53 > add 11705 allow udp from 212.0.0.0/8 67 to 255.255.255.255 68 in recv rl0 > > add 11801 allow icmp from any to any icmptypes 3 > add 11802 allow icmp from any to any icmptypes 4 > add 11803 allow icmp from any to any icmptypes 8 out > add 11804 allow icmp from any to any icmptypes 0 in > add 11805 allow icmp from any to any icmptypes 9 out > add 11806 allow log icmp from any to any icmptypes 11 in > add 11807 allow log icmp from any to any icmptypes 11 out > > add 11900 allow icmp from me to 224.0.0.1 icmptypes 9 in via rl0 > add 11901 allow icmp from 10.0.0.1 to 224.0.0.1 icmptypes 9 in via rl1 > add 11902 allow all from me to 224.0.0.2/24 out via rl0 > add 11903 allow all from 10.0.0.1 to 224.0.0.2/24 out via rl1 > add 11904 allow udp from me 520 to 81.10.248.255 520 out via rl0 > add 11905 allow udp from me 520 to 81.10.248.255 520 in via rl0 > add 11906 allow udp from 10.0.0.1 520 to 10.255.255.255 520 in via rl1 > add 11907 allow udp from 10.0.0.1 520 to 10.255.255.255 520 out via rl1 > add 11908 allow udp from me 520 to 10.255.255.255 520 out via rl1 > add 11909 allow udp from me 520 to 10.255.255.255 520 in via rl1 > add 11910 allow ip from any to 224.0.0.9/24 in via rl0 > > > add 20000 allow all from 10.0.0.0/24 to any in recv rl1 > add 20001 allow all from any to 10.0.0.0/24 out xmit rl1 keep-state > add 20002 count log all from 10.0.0.0/24 to any > add 20003 count log all from any to 10.0.0.0/24 > > > add 65534 deny log ip from any to any > > _______________________________________________ > [EMAIL PROTECTED] mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "[EMAIL PROTECTED]" -- I sense much NT in you. NT leads to Bluescreen. Bluescreen leads to downtime. Downtime leads to suffering. NT is the path to the darkside. Powerful Unix is. Public Key: ftp://ftp.tallye.com/pub/lorenl_pubkey.asc Fingerprint: B3B9 D669 69C9 09EC 1BCD 835A FAF3 7A46 E4A3 280C
pgp470QFkxKvN.pgp
Description: PGP signature
